CVE-2026-3646 is a missing authorization vulnerability (CWE-862) in the LTL Freight Quotes – R+L Carriers Edition WordPress plugin, affecting all versions up to 3.3.13. The issue arises because a standalone PHP webhook handler processes GET parameters without any authentication, authorization, or nonce verification. This allows unauthenticated attackers to modify WordPress options related to the plugin's subscription plan, including downgrading paid plans to trial plans, changing store types, and adjusting subscription expiration dates. These unauthorized changes can disable premium plugin features such as Dropship and Hazardous Material handling. The vulnerability has a CVSS 3.1 base score of 5.3 (medium severity), with an attack vector of network, no privileges required, and no user interaction needed. No patch or official fix has been published by the vendor as of the information provided.

An unauthenticated attacker can exploit this vulnerability to downgrade a store's subscription plan from paid to trial, change the store type, and manipulate subscription expiration dates. This can result in disabling premium features of the plugin, such as Dropship and Hazardous Material handling, potentially impacting business operations relying on these features. There is no indication of confidentiality or availability impact. No known exploits are reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should consider restricting access to the vulnerable webhook handler file, for example by implementing web server access controls or firewall rules to limit requests to trusted sources. Monitoring for unusual changes in subscription settings may help detect exploitation attempts. Avoid exposing the plugin's webhook endpoint publicly if possible.