CVE-2024-8911

Name of the Vulnerable Software and Affected Versions: LatePoint plugin for WordPress versions up to, and including, 5.0.11

Description: The issue is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query, making it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. This is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. Without this setting enabled, only the passwords of plugin customers, which are stored and managed in a separate database table, can be modified.

Recommendations: For versions up to, and including, 5.0.11, upgrade to a newer version to patch the issue. As a temporary workaround, consider disabling the "Use WordPress users as customers" setting to minimize the risk of exploitation. Restrict access to the plugin's customer management functionality to prevent unauthorized password changes.