Authentication Bypass Vulnerability Affects LatePoint Plugin for WordPress
CVE-2024-8943

9.8CRITICAL

Key Information:

Vendor: Wordpress
Status: Latepoint Plugin
Vendor: CVE Published:; 8 October 2024

Summary

The LatePoint plugin for WordPress contains an authentication bypass vulnerability that affects versions up to and including 5.0.12. Due to inadequate verification of the user supplied during the booking customer process, unauthenticated attackers can potentially log in as any existing user on the site, including administrators, if they possess the necessary user ID. The risk is elevated when the 'Use WordPress users as customers' setting is enabled, which is not the default configuration. The issue has been partially remedied in version 5.0.12 and fully addressed in version 5.0.13. Website administrators are strongly recommended to update their LatePoint plugin to the latest version to mitigate the risks associated with this vulnerability.

Affected Version(s)

LatePoint Plugin * <= 5.0.12

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wpdocs.latepoint.com/changelog/

CVSS V3.1

Score:

9.8

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 8, 2024
Vulnerability Reserved
Sep 17, 2024

Credit

István Márton