CVE-2026-3646 is a missing authorization vulnerability (CWE-862) in the LTL Freight Quotes – R+L Carriers Edition WordPress plugin. The issue arises from a standalone PHP webhook handler that processes GET parameters without authentication, authorization, or nonce verification. This allows unauthenticated attackers to modify WordPress options related to subscription plans, including downgrading paid plans to trial, changing store types, and altering subscription expiration dates. The vulnerability affects all versions up to and including 3.3.13. It has a CVSS 3.1 base score of 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N), reflecting a network attack vector with low complexity and no privileges required, causing integrity impact but no confidentiality or availability impact. No patch or official fix has been published, and the plugin is not a cloud service, so remediation depends on vendor updates or manual mitigation.

An unauthenticated attacker can modify subscription-related settings in the affected plugin, such as downgrading the store from a paid plan to a trial plan, changing the store type, and manipulating subscription expiration dates. This can disable premium features including Dropship and Hazardous Material handling. The integrity of subscription management is compromised, but there is no direct impact on confidentiality or availability. No known exploits have been reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Since no official fix or patch is currently available, users should monitor the vendor's communications for updates. As a temporary measure, restricting access to the vulnerable webhook handler or implementing custom authorization checks may reduce risk. Avoid exposing the webhook endpoint publicly until a fix is released.