PT-2024-39328 · WordPress · Latepoint
István Márton
·
Published
2024-10-08
·
Updated
2026-04-08
·
CVE-2024-8943
CVSS v3.1
9.8
Critical
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
LatePoint plugin for WordPress versions up to, and including, 5.0.12
Description:
The issue is related to insufficient verification of the user being supplied during the booking customer step, allowing unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the
user id. This is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default.Recommendations:
For versions up to, and including, 5.0.12, update to version 5.0.13 to fully patch the issue.
As a temporary workaround, consider disabling the "Use WordPress users as customers" setting to minimize the risk of exploitation.
Restrict access to the booking customer step to prevent unauthorized access until the issue is resolved.
Fix
Authentication Bypass Using an Alternate Path or Channel
Missing Authentication
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Latepoint