WordPress Plugin Vulnerabilities

LatePoint < 5.0.13 - Authentication Bypass

Description

The plugin is vulnerable to authentication bypass due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13.

Affects Plugins

Plugin icon
latepoint
Fixed in 5.0.13

References

CVE
CVE-2024-8943
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/bac8c35b-2afa-4347-b86e-2f16db19a4d3

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287
CVSS
8.1 (high)

Miscellaneous

Original Researcher
István Márton
Verified
No
WPVDB ID
f03ef866-64f3-478c-ae0e-9eb661859b89

Timeline

Publicly Published
2024-09-24 (about 1 year ago)
Added
2024-10-08 (about 1 year ago)
Last Updated
2024-10-08 (about 1 year ago)

Other

Published
Title
Published
2019-12-12
Title
Ultimate Addons for Elementor < 1.20.1 - Authentication Bypass
Published
2026-01-27
Title
AhaChat Messenger Marketing <= 1.1 - Authentication Bypass
Published
2024-07-19
Title
WooCommerce - Social Login < 2.7.4 - Unauthenticated Authentication Bypass
Published
2025-08-27
Title
RingCentral Communications 1.5 - 1.6.8 - Missing Server‑Side Verification to Authentication Bypass via ringcentral_admin_login_2fa_verify Function
Published
2015-01-17
Title
Pie Register <= 2.0.13 - Privilege escalation