CVE-2025-22284
Published: 16 February 2025
Summary
CVE-2025-22284 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Eniture Ltl Freight Quotes. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Deeper analysis
CVE-2025-22284 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the WordPress plugin LTL Freight Quotes – Unishippers Edition (ltl-freight-quotes-unishippers-edition) developed by enituretechnology. This issue impacts all versions of the plugin from n/a through 2.5.8 inclusive. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.
A remote, unauthenticated attacker can exploit this vulnerability by crafting malicious input that is reflected back in web page generation, tricking a user into interacting with it, such as clicking a malicious link. Upon successful exploitation, the attacker can execute arbitrary scripts in the victim's browser context, potentially compromising low levels of confidentiality, integrity, and availability impacts across a changed scope.
The Patchstack advisory provides details on this vulnerability, including assessment for the affected WordPress plugin versions up to 2.5.8, available at https://patchstack.com/database/Wordpress/Plugin/ltl-freight-quotes-unishippers-edition/vulnerability/wordpress-ltl-freight-quotes-unishippers-edition-plugin-2-5-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-2687
Vulnerability details
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in enituretechnology LTL Freight Quotes – Unishippers Edition ltl-freight-quotes-unishippers-edition allows Reflected XSS.This issue affects LTL Freight Quotes – Unishippers Edition: from n/a through <= 2.5.8.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploiting internet-facing app via crafted input) and facilitates T1204.001 (user clicks malicious link to trigger script execution in browser).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Information output filtering directly prevents reflected XSS by encoding or sanitizing user inputs before inclusion in dynamically generated web pages.
Information input validation blocks malicious payloads at entry, addressing the improper neutralization of input in the WordPress plugin's web page generation.
Flaw remediation ensures timely patching of the specific XSS vulnerability in LTL Freight Quotes – Unishippers Edition versions up to 2.5.8.