Missing Authorization Vulnerability in R+L Carriers Edition Plugin for WordPress
CVE-2026-3646

5.3MEDIUM

Key Information:

Vendor: WordPress
Status: Ltl Freight Quotes – R+l Carriers Edition
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-3646?

The R+L Carriers Edition plugin for WordPress is susceptible to a missing authorization issue within its webhook handler. This flaw primarily stems from inadequate authentication controls and nonce verification on a specific PHP file, which directly handles GET parameters and modifies WordPress options. As a result, unauthenticated attackers can alter critical plugin settings, such as downgrading active subscription plans, changing store types, and adjusting subscription expiration dates. This vulnerability poses a significant risk to users, potentially leading to the loss of premium features including Dropship and Hazardous Material handling.

Affected Version(s)

LTL Freight Quotes – R+L Carriers Edition 0 <= 3.3.13

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/ltl-freight-qu...

CVSS V3.1

Score:

5.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 6, 2026

Credit

Phong Nguyen

CVE-2026-3646 Data

JSON