{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-1483", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-02-19T21:13:44.386Z", "datePublished": "2025-02-20T09:21:35.504Z", "dateUpdated": "2026-04-08T16:34:23.629Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:23.629Z"}, "affected": [{"vendor": "enituretechnology", "product": "LTL Freight Quotes \u2013 GlobalTranz Edition", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "2.3.12", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LTL Freight Quotes \u2013 GlobalTranz Edition plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the engtz_wd_save_dropship AJAX endpoint in all versions up to, and including, 2.3.12. This makes it possible for unauthenticated attackers to update the drop shipping settings."}], "title": "LTL Freight Quotes \u2013 GlobalTranz Edition <= 2.3.12 - Missing Authorization to Unauthenticated Settings Update", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0906e9b0-5093-4ddd-8868-8fcaad8e3a5b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3243002/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Colin Xu"}], "timeline": [{"time": "2025-02-19T00:00:00.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-02-20T14:29:11.041280Z", "id": "CVE-2025-1483", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-20T14:29:19.702Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-1483", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-02-20T14:29:11.041280Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-02-20T14:29:16.268Z"}}], "cna": {"title": "LTL Freight Quotes \u2013 GlobalTranz Edition <= 2.3.12 - Missing Authorization to Unauthenticated Settings Update", "credits": [{"lang": "en", "type": "finder", "value": "Colin Xu"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "enituretechnology", "product": "LTL Freight Quotes \u2013 GlobalTranz Edition", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "2.3.12"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-02-19T00:00:00.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0906e9b0-5093-4ddd-8868-8fcaad8e3a5b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3243002/"}], "descriptions": [{"lang": "en", "value": "The LTL Freight Quotes \u2013 GlobalTranz Edition plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the engtz_wd_save_dropship AJAX endpoint in all versions up to, and including, 2.3.12. This makes it possible for unauthenticated attackers to update the drop shipping settings."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:34:23.629Z"}}}, "cveMetadata": {"cveId": "CVE-2025-1483", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:34:23.629Z", "dateReserved": "2025-02-19T21:13:44.386Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-02-20T09:21:35.504Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wwexgroup:ltl_freight_quotes:*:*:*:*:globaltranz:wordpress:*:*", "matchCriteriaId": "F1ABF446-2227-40C2-A155-0DB3E10E8D78", "versionEndExcluding": "2.3.13", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The LTL Freight Quotes \u2013 GlobalTranz Edition plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the engtz_wd_save_dropship AJAX endpoint in all versions up to, and including, 2.3.12. This makes it possible for unauthenticated attackers to update the drop shipping settings."}, {"lang": "es", "value": "El complemento LTL Freight Quotes \u2013 GlobalTranz Edition para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una verificaci\u00f3n de capacidad faltante en el endpoint AJAX engtz_wd_save_dropship en todas las versiones hasta la 2.3.12 incluida. Esto permite que atacantes no autenticados actualicen la configuraci\u00f3n de env\u00edo directo."}], "id": "CVE-2025-1483", "lastModified": "2025-02-25T18:59:39.860", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-02-20T10:15:12.537", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://plugins.trac.wordpress.org/changeset/3243002/"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0906e9b0-5093-4ddd-8868-8fcaad8e3a5b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T17:56:04.455104+00:00", "value": {"mitigation_remediation": ["Update the LTL Freight Quotes \u2013 GlobalTranz Edition plugin to the latest available version (>= 2.3.13) which includes the missing capability check.", "If an immediate upgrade is not possible, block unauthenticated access to the engtz_wd_save_dropship AJAX endpoint by configuring your web server or firewall to require authentication before allowing POST or GET requests to that URL.", "Implement general WordPress security hardening: ensure that only trusted administrators have high\u2011privilege roles, disable unused plugins and AJAX endpoints, and regularly review role capabilities to prevent privilege escalation."], "summary": {"action": "Upgrade Plugin", "impact": "Unauthenticated Settings Modification"}, "threat_synthesis": {"affected_systems": "All installations of the Eniture Technology LTL Freight Quotes \u2013 GlobalTranz Edition plugin up to and including version 2.3.12 are affected. The product runs within WordPress environments and is identified by the package name used by the plugin author.", "description_and_impact": "The LTL Freight Quotes \u2013 GlobalTranz Edition WordPress plugin contains a missing capability check on the engtz_wd_save_dropship AJAX endpoint, allowing anyone with access to the site to modify drop shipping settings without authentication. This flaw, classified as Unauthorized Access Control (CWE-862), could enable attackers to alter shipping rates, routes, or other configuration data, potentially leading to financial loss or service disruption.", "risk_and_exploitability": "The vulnerability receives a CVSS score of 5.3, indicating moderate severity, and an EPSS score of less than 1%, meaning exploitation is considered unlikely at present. It is not listed in the CISA KEV catalog. Attackers can exploit the flaw by simply sending requests to the unprotected AJAX endpoint from any location with access to the site, without needing valid credentials or elevated privileges."}}}}, "created": "2026-04-22T18:00:05.483167+00:00", "updated": "2026-04-22T18:00:05.483178+00:00", "vendors": []}