Cyber Resilience

CVE-2025-22284

High

Published: 16 February 2025

Published
16 February 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
EPSS Score 0.0009 24.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22284 is a high-severity Cross-site Scripting (CWE-79) vulnerability in Eniture Ltl Freight Quotes. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 24.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).

Deeper analysis

CVE-2025-22284 is an Improper Neutralization of Input During Web Page Generation vulnerability, classified as Reflected Cross-site Scripting (XSS) under CWE-79, affecting the WordPress plugin LTL Freight Quotes – Unishippers Edition (ltl-freight-quotes-unishippers-edition) developed by enituretechnology. This issue impacts all versions of the plugin from n/a through 2.5.8 inclusive. The vulnerability has a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L), indicating high severity due to its network accessibility and scope change.

A remote, unauthenticated attacker can exploit this vulnerability by crafting malicious input that is reflected back in web page generation, tricking a user into interacting with it, such as clicking a malicious link. Upon successful exploitation, the attacker can execute arbitrary scripts in the victim's browser context, potentially compromising low levels of confidentiality, integrity, and availability impacts across a changed scope.

The Patchstack advisory provides details on this vulnerability, including assessment for the affected WordPress plugin versions up to 2.5.8, available at https://patchstack.com/database/Wordpress/Plugin/ltl-freight-quotes-unishippers-edition/vulnerability/wordpress-ltl-freight-quotes-unishippers-edition-plugin-2-5-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve.

EU & UK References

Vulnerability details

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in enituretechnology LTL Freight Quotes – Unishippers Edition ltl-freight-quotes-unishippers-edition allows Reflected XSS.This issue affects LTL Freight Quotes – Unishippers Edition: from n/a through <= 2.5.8.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1204.001 Malicious Link Execution
An adversary may rely upon a user clicking a malicious link in order to gain execution.
Why these techniques?

Reflected XSS in public-facing WordPress plugin directly enables T1190 (exploiting internet-facing app via crafted input) and facilitates T1204.001 (user clicks malicious link to trigger script execution in browser).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2024-13490Same product: Eniture Ltl Freight Quotes
CVE-2025-22289Same product: Eniture Ltl Freight Quotes
CVE-2024-13489Same product: Eniture Ltl Freight Quotes
CVE-2024-13480Same product: Eniture Ltl Freight Quotes
CVE-2024-13481Same product: Eniture Ltl Freight Quotes
CVE-2024-13483Same product: Eniture Ltl Freight Quotes
CVE-2024-13477Same product: Eniture Ltl Freight Quotes
CVE-2024-13473Same product: Eniture Ltl Freight Quotes
CVE-2024-13485Same product: Eniture Ltl Freight Quotes
CVE-2024-13476Same product: Eniture Ltl Freight Quotes

Affected Assets

eniture
ltl freight quotes
≤ 2.5.9

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Information output filtering directly prevents reflected XSS by encoding or sanitizing user inputs before inclusion in dynamically generated web pages.

prevent

Information input validation blocks malicious payloads at entry, addressing the improper neutralization of input in the WordPress plugin's web page generation.

prevent

Flaw remediation ensures timely patching of the specific XSS vulnerability in LTL Freight Quotes – Unishippers Edition versions up to 2.5.8.

References