CVE-2024-13477 is an SQL Injection vulnerability identified in the LTL Freight Quotes – Unishippers Edition WordPress plugin, affecting all versions up to and including 2.5.8. The root cause is insufficient escaping and lack of prepared statements for the 'edit_id' parameter, which is user-supplied. This allows unauthenticated attackers to append arbitrary SQL commands to existing queries, potentially extracting sensitive data from the backend database. The vulnerability does not require any authentication or user interaction, increasing its risk profile. The CVSS 3.1 base score is 7.5 (high), reflecting network attack vector, low attack complexity, no privileges required, and high confidentiality impact but no integrity or availability impact. No public exploits have been reported yet, but the vulnerability is straightforward to exploit given the nature of SQL Injection flaws. The plugin is used in WordPress environments primarily for freight quote management, which may contain sensitive business and customer data. The lack of patch links indicates that a fix may not yet be publicly available, emphasizing the need for interim mitigations. This vulnerability falls under CWE-89, a common and critical injection flaw category.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored in the database, such as customer data, freight quotes, pricing, and potentially credentials or configuration details. Since the vulnerability allows unauthenticated remote exploitation, attackers can leverage it to conduct data breaches without needing access credentials. This can lead to loss of confidentiality, reputational damage, regulatory penalties, and potential financial losses for affected organizations. Although the vulnerability does not directly affect data integrity or availability, the exposure of sensitive data can facilitate further attacks or fraud. Organizations in logistics, freight management, and related sectors using this plugin are at particular risk. The widespread use of WordPress and the plugin's niche in freight quotes means that multiple businesses globally could be impacted if the vulnerability is exploited at scale.

1. Monitor for an official patch or update from enituretechnology and apply it immediately once available. 2. Until a patch is released, implement strict input validation and sanitization on the 'edit_id' parameter at the web server or application firewall level to block suspicious payloads. 3. Deploy a Web Application Firewall (WAF) with rules specifically targeting SQL Injection patterns to detect and block exploitation attempts. 4. Restrict public access to the plugin’s functionality if feasible, for example by IP whitelisting or authentication enforcement. 5. Conduct regular database and application logs monitoring to detect unusual query patterns or access attempts. 6. Consider temporarily disabling or removing the plugin if it is not critical to operations until a secure version is available. 7. Educate development and security teams about the risks of SQL Injection and the importance of using parameterized queries and prepared statements in custom code.