Vulnerabilites related to enituretechnology - LTL Freight Quotes – Daylight Edition
CVE-2025-5303 (GCVE-0-2025-5303)
Vulnerability from cvelistv5
Published
2025-06-07 08:22
Modified
2025-06-09 15:08
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Summary
The LTL Freight Quotes – Freightview Edition, LTL Freight Quotes – Daylight Edition and LTL Freight Quotes – Day & Ross Edition plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the expiry_date parameter in all versions up to, and including, 1.0.11, 2.2.6 and 2.1.10 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
References
Impacted products
| Vendor | Product | Version | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| ▼ | enituretechnology | LTL Freight Quotes – Freightview Edition |
Version: * ≤ 1.0.11 |
|||||||||||
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-5303",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-09T15:08:23.879538Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-09T15:08:29.196Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "LTL Freight Quotes \u2013 Freightview Edition",
"vendor": "enituretechnology",
"versions": [
{
"lessThanOrEqual": "1.0.11",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "LTL Freight Quotes \u2013 Day \u0026 Ross Edition",
"vendor": "enituretechnology",
"versions": [
{
"lessThanOrEqual": "2.1.10",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
},
{
"defaultStatus": "unaffected",
"product": "LTL Freight Quotes \u2013 Daylight Edition",
"vendor": "enituretechnology",
"versions": [
{
"lessThanOrEqual": "2.2.6",
"status": "affected",
"version": "*",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Dzmitry Sviatlichny"
}
],
"descriptions": [
{
"lang": "en",
"value": "The LTL Freight Quotes \u2013 Freightview Edition, LTL Freight Quotes \u2013 Daylight Edition and LTL Freight Quotes \u2013 Day \u0026 Ross Edition plugins for WordPress are vulnerable to Stored Cross-Site Scripting via the expiry_date parameter in all versions up to, and including, 1.0.11, 2.2.6 and 2.1.10 respectively, due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
}
],
"metrics": [
{
"cvssV3_1": {
"baseScore": 7.2,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-07T08:22:28.265Z",
"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"shortName": "Wordfence"
},
"references": [
{
"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05fc4b17-7922-45a4-aac8-a47b3f50ce69?source=cve"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-freightview-edition/tags/1.0.11/en-hit-to-update-plan.php#L29"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-freightview-edition/tags/1.0.11/common/en-plans.php#L110"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-daylight-edition/tags/2.2.6/en-hit-to-update-plan.php#L29"
},
{
"url": "https://plugins.trac.wordpress.org/browser/ltl-freight-quotes-day-ross-edition/trunk/en-hit-to-update-plan.php#L29"
}
],
"timeline": [
{
"lang": "en",
"time": "2025-03-28T00:00:00.000+00:00",
"value": "Discovered"
},
{
"lang": "en",
"time": "2025-06-06T20:22:12.000+00:00",
"value": "Disclosed"
}
],
"title": "LTL Freight Quotes \u2013 Freightview Edition \u003c= 1.0.11, LTL Freight Quotes \u2013 Daylight Edition \u003c=2.2.6 and LTL Freight Quotes \u2013 Day \u0026 Ross Edition \u003c= 2.1.10 - Unauthenticated Stored Cross-Site Scripting via `expiry_date` Parameter"
}
},
"cveMetadata": {
"assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
"assignerShortName": "Wordfence",
"cveId": "CVE-2025-5303",
"datePublished": "2025-06-07T08:22:28.265Z",
"dateReserved": "2025-05-28T11:04:02.438Z",
"dateUpdated": "2025-06-09T15:08:29.196Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-58643 (GCVE-0-2025-58643)
Vulnerability from cvelistv5
Published
2025-09-03 14:36
Modified
2025-09-03 17:18
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-502 - Deserialization of Untrusted Data
Summary
Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes – Daylight Edition allows Object Injection. This issue affects LTL Freight Quotes – Daylight Edition: from n/a through 2.2.7.
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| enituretechnology | LTL Freight Quotes – Daylight Edition |
Version: n/a < |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-58643",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-09-03T17:18:43.868961Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T17:18:48.422Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://wordpress.org/plugins",
"defaultStatus": "unaffected",
"packageName": "ltl-freight-quotes-daylight-edition",
"product": "LTL Freight Quotes \u2013 Daylight Edition",
"vendor": "enituretechnology",
"versions": [
{
"changes": [
{
"at": "2.2.8",
"status": "unaffected"
}
],
"lessThanOrEqual": "2.2.7",
"status": "affected",
"version": "n/a",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"user": "00000000-0000-4000-9000-000000000000",
"value": "mcdruid (Patchstack Alliance)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eDeserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes \u2013 Daylight Edition allows Object Injection.\u003c/p\u003e\u003cp\u003eThis issue affects LTL Freight Quotes \u2013 Daylight Edition: from n/a through 2.2.7.\u003c/p\u003e"
}
],
"value": "Deserialization of Untrusted Data vulnerability in enituretechnology LTL Freight Quotes \u2013 Daylight Edition allows Object Injection. This issue affects LTL Freight Quotes \u2013 Daylight Edition: from n/a through 2.2.7."
}
],
"impacts": [
{
"capecId": "CAPEC-586",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-586 Object Injection"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-502",
"description": "CWE-502 Deserialization of Untrusted Data",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-09-03T14:36:59.652Z",
"orgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"shortName": "Patchstack"
},
"references": [
{
"tags": [
"vdb-entry"
],
"url": "https://patchstack.com/database/wordpress/plugin/ltl-freight-quotes-daylight-edition/vulnerability/wordpress-ltl-freight-quotes-daylight-edition-plugin-2-2-7-php-object-injection-vulnerability?_s_id=cve"
}
],
"solutions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Update the WordPress LTL Freight Quotes \u2013 Daylight Edition plugin to the latest available version (at least 2.2.8)."
}
],
"value": "Update the WordPress LTL Freight Quotes \u2013 Daylight Edition plugin to the latest available version (at least 2.2.8)."
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "WordPress LTL Freight Quotes \u2013 Daylight Edition Plugin \u003c= 2.2.7 - PHP Object Injection Vulnerability",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3",
"assignerShortName": "Patchstack",
"cveId": "CVE-2025-58643",
"datePublished": "2025-09-03T14:36:59.652Z",
"dateReserved": "2025-09-03T09:03:20.489Z",
"dateUpdated": "2025-09-03T17:18:48.422Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}