Skip to main content
CVE Vulnerability Database

CVE-2026-3646: WordPress LTL Freight Plugin Auth Bypass

CVE-2026-3646 is an authentication bypass flaw in the LTL Freight Quotes WordPress plugin that lets attackers modify subscription settings without authorization. This article covers the technical details, affected versions, and mitigation.

Updated:

CVE-2026-3646 Overview

CVE-2026-3646 is a missing authorization vulnerability in the LTL Freight Quotes – R+L Carriers Edition plugin for WordPress. The flaw affects all versions up to and including 3.3.13. The plugin exposes a standalone PHP webhook handler, en-hit-to-update-plan.php, that processes GET parameters and updates WordPress options without authentication, authorization, or nonce verification. Unauthenticated attackers can modify the plugin's subscription plan settings, downgrade the store from a paid plan to the Trial Plan, change the store type, and manipulate subscription expiration dates. This can disable premium features such as Dropship and Hazardous Material handling on affected WooCommerce stores.

Critical Impact

Unauthenticated remote attackers can tamper with plugin subscription state and disable paid features on any vulnerable WordPress site.

Affected Products

  • LTL Freight Quotes – R+L Carriers Edition plugin for WordPress (all versions ≤ 3.3.13)
  • WordPress sites running WooCommerce with the affected plugin installed
  • Stores relying on the plugin for Dropship or Hazardous Material handling features

Discovery Timeline

  • 2026-04-08 - CVE-2026-3646 published to NVD
  • 2026-04-27 - Last updated in NVD database

Technical Details for CVE-2026-3646

Vulnerability Analysis

The vulnerability is classified as Missing Authorization [CWE-862]. The plugin ships a standalone PHP file, en-hit-to-update-plan.php, that is directly reachable over HTTP. The script reads attacker-controlled GET parameters and writes them into WordPress options through the standard options API. Because the file is not loaded through the WordPress admin handler chain, it never invokes current_user_can(), is_user_logged_in(), or wp_verify_nonce(). Any unauthenticated client that can reach the plugin URL can change subscription plan state. The result is an integrity impact on plugin configuration without affecting confidentiality or service availability.

Root Cause

The root cause is the absence of three controls on a state-changing endpoint: authentication, capability checks, and nonce verification. The script treats inbound GET parameters as trusted webhook input and writes them directly to options such as the subscription plan tier, store type, and expiration timestamp. Standalone PHP files placed inside plugin directories bypass WordPress request lifecycle hooks that normally enforce access control.

Attack Vector

An attacker sends a crafted HTTP GET request to the publicly reachable en-hit-to-update-plan.php file with parameters that specify the desired plan, store type, and expiration date. The handler updates the corresponding WordPress options and the plugin then reflects the attacker-chosen state on the next page load. No authentication, user interaction, or prior knowledge of the site is required. Refer to the Wordfence Vulnerability Report and the WordPress Plugin Changeset for the vulnerable code paths.

No verified exploit code is published. See the linked WordPress plugin source
references for the vulnerable handler in en-hit-to-update-plan.php (lines 32-49).

Detection Methods for CVE-2026-3646

Indicators of Compromise

  • HTTP GET requests to /wp-content/plugins/ltl-freight-quotes-rl-edition/en-hit-to-update-plan.php from unauthenticated sources.
  • Unexpected changes to WordPress options tied to the plugin's subscription plan, store type, or expiration date.
  • Plugin reverting to Trial Plan state on sites that previously held a paid subscription.
  • Premium features such as Dropship or Hazardous Material handling suddenly disabled without administrative action.

Detection Strategies

  • Review web server access logs for any request to en-hit-to-update-plan.php, especially with query strings containing plan or expiration parameters.
  • Audit the wp_options table for unexpected modifications to plugin-managed keys.
  • Compare current plugin subscription state against billing records from R+L Carriers to identify silent downgrades.

Monitoring Recommendations

  • Alert on any external HTTP access to standalone PHP files inside plugin directories.
  • Enable WordPress audit logging for option changes and correlate with source IPs.
  • Monitor for the file path pattern in WAF logs and block direct access where the plugin does not require it.

How to Mitigate CVE-2026-3646

Immediate Actions Required

  • Update the LTL Freight Quotes – R+L Carriers Edition plugin to a version newer than 3.3.13 once available from the vendor.
  • Block direct HTTP access to en-hit-to-update-plan.php at the web server or WAF layer.
  • Audit wp_options entries owned by the plugin and restore correct subscription plan values where tampering is suspected.
  • Rotate any API credentials the plugin holds for the R+L Carriers integration.

Patch Information

Review the WordPress Plugin Changeset for the upstream fix and apply the latest plugin release from the WordPress.org plugin repository. The fix should introduce authentication, capability, and nonce checks on the webhook handler.

Workarounds

  • Deny access to en-hit-to-update-plan.php using web server rules until the plugin is updated.
  • Restrict access to the plugin path by source IP if the webhook caller is known.
  • Temporarily deactivate the plugin on sites that do not currently rely on R+L Carriers freight quoting.
bash
# Nginx: block direct access to the vulnerable webhook handler
location ~* /wp-content/plugins/ltl-freight-quotes-rl-edition/en-hit-to-update-plan\.php$ {
    deny all;
    return 403;
}

# Apache .htaccess equivalent
<Files "en-hit-to-update-plan.php">
    Require all denied
</Files>

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.