CVE-2024-13488: LTL Freight Quotes Plugin SQLi Flaw

CVE-2024-13488 Overview

CVE-2024-13488 is a SQL Injection vulnerability affecting the LTL Freight Quotes – Estes Edition plugin for WordPress. The flaw exists in versions up to and including 3.3.7 and stems from insufficient escaping of user-supplied input in the dropship_edit_id and edit_id parameters, combined with inadequate preparation of the underlying SQL query. Unauthenticated attackers can append additional SQL queries to existing queries and extract sensitive data from the WordPress database. The vulnerability is tracked under [CWE-89] and carries a network attack vector requiring no authentication or user interaction.

Critical Impact

Unauthenticated remote attackers can extract sensitive information from the WordPress database, including user credentials, session tokens, and configuration data, by injecting crafted payloads into the vulnerable parameters.

Affected Products

• Enituretechnology LTL Freight Quotes – Estes Edition plugin for WordPress
• All versions up to and including 3.3.7
• WordPress installations with the plugin enabled

Discovery Timeline

• 2025-02-15 - CVE-2024-13488 published to NVD
• 2025-02-28 - Last updated in NVD database

Technical Details for CVE-2024-13488

Vulnerability Analysis

The LTL Freight Quotes – Estes Edition plugin handles dropship delivery records using server-side PHP code that constructs SQL statements from request parameters. The plugin accepts the dropship_edit_id and edit_id parameters and concatenates their values directly into SQL queries without prepared statements or proper escaping. This pattern enables classic in-band and stacked SQL injection against the WordPress database.

Attackers can append UNION SELECT clauses or boolean-based payloads to read arbitrary tables, including wp_users and wp_options. Extraction of password hashes from wp_users enables offline cracking and subsequent administrative takeover. The EPSS percentile of 94.7 indicates a relatively high likelihood of exploitation activity compared to the broader CVE population.

Root Cause

The root cause is improper neutralization of special elements used in SQL commands [CWE-89]. The vulnerable code paths in warehouse-dropship/wild/includes/wild-delivery-save.php at lines 250 and 364 build SQL strings using direct parameter concatenation rather than the WordPress $wpdb->prepare() API. Without parameter binding, attacker-controlled characters such as single quotes and semicolons are interpreted as SQL syntax.

Attack Vector

Exploitation requires only network access to the WordPress site hosting the plugin. An unauthenticated attacker issues an HTTP request to the vulnerable endpoint, supplying a malicious value for dropship_edit_id or edit_id. The injected SQL executes within the application's database context and returns extracted data either through the response body or via blind exfiltration techniques such as time-based or boolean-based inference.

No verified public proof-of-concept code is referenced in the advisory. See the WordPress Plugin Code Review at line 250 and line 364 for the vulnerable source locations.

Detection Methods for CVE-2024-13488

Indicators of Compromise

• HTTP requests containing SQL metacharacters such as ', --, UNION, SELECT, or SLEEP( in the dropship_edit_id or edit_id query parameters.
• Web server access logs showing unusually long parameter values or encoded payloads targeting plugin endpoints under /wp-content/plugins/ltl-freight-quotes-estes-edition/.
• Database error messages referencing SQL syntax errors logged near requests to the affected plugin paths.
• Unexpected outbound queries against wp_users, wp_options, or information_schema tables originating from the WordPress application user.

Detection Strategies

• Deploy Web Application Firewall (WAF) rules that flag SQL injection patterns in requests to plugin URLs containing dropship_edit_id or edit_id.
• Enable MySQL or MariaDB general query logging temporarily and review queries originating from the WordPress connection for UNION or INFORMATION_SCHEMA patterns.
• Correlate WordPress access logs with database audit logs to identify single requests producing multiple downstream queries.

Monitoring Recommendations

• Monitor for sustained scanning behavior from single source IPs targeting the affected plugin paths.
• Alert on HTTP 500 responses from the plugin endpoints, which often indicate SQL syntax errors triggered by injection probes.
• Track baseline query volumes against wp_users and alert on anomalous read patterns.

How to Mitigate CVE-2024-13488

Immediate Actions Required

• Update the LTL Freight Quotes – Estes Edition plugin to a version newer than 3.3.7 as published in the WordPress Plugin Changeset.
• Rotate WordPress administrator passwords and invalidate active sessions if the plugin was exposed publicly.
• Review database audit logs for evidence of unauthorized SELECT activity against sensitive tables.
• Block requests containing suspicious payloads in the affected parameters at the WAF or reverse proxy.

Patch Information

The vendor addressed the vulnerability in the changeset published on the WordPress Plugin repository. See the Wordfence Vulnerability Report for the corrected version details and the WordPress Plugin Changeset Overview for the source-level fix that introduces parameter preparation.

Workarounds

• Disable and remove the LTL Freight Quotes – Estes Edition plugin until the patch is applied.
• Restrict access to plugin endpoints to authenticated administrator sessions using web server access control rules.
• Apply virtual patching at the WAF layer to reject requests where dropship_edit_id or edit_id contain non-numeric characters.
• Enforce least-privilege database accounts for the WordPress connection to limit the scope of data accessible via injection.

# Example WAF rule (ModSecurity) to block non-numeric values in vulnerable parameters
SecRule ARGS:dropship_edit_id|ARGS:edit_id "!@rx ^[0-9]+$" \
    "id:1002024134880,phase:2,deny,status:403,log,\
     msg:'CVE-2024-13488 SQL Injection attempt blocked'"