cbcvebase.
CVE-2024-8943
published 2024-10-08

CVE-2024-8943: The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on…

PriorityP183critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
2.99%
85.7th percentile
The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13.

Affected

2 ranges
VendorProductVersion rangeFixed in
latepointlatepoint< 5.0.135.0.13
latepointlatepoint_plugin<= 5.0.12

Detection & IOCsextracted from sources · hover to see the quote

url/wp-admin/admin-ajax.php
path/wp-json/wp/v2/users
path/?rest_route=/wp/v2/users
  • A successful authentication bypass will result in a Set-Cookie header containing 'wordpress_logged_in_' in the response to the exploit POST request, indicating the attacker has been logged in as the targeted user.
  • Attackers will first enumerate WordPress user IDs via the REST API endpoints /wp-json/wp/v2/users or /?rest_route=/wp/v2/users before launching the authentication bypass. Monitor for unauthenticated access to these endpoints followed by POST requests to admin-ajax.php.
  • A JSON response body containing '"status":"success"' from /wp-admin/admin-ajax.php in response to a latepoint_route_call action indicates a successful bypass.
  • ·The authentication bypass to WordPress user accounts is only exploitable when the 'Use WordPress users as customers' setting is enabled in the LatePoint plugin. This setting is DISABLED by default, significantly limiting the attack surface in default installations.
  • ·The attacker must have prior knowledge of or be able to enumerate a valid WordPress user ID. The REST API user enumeration endpoints (/wp-json/wp/v2/users) are commonly used as a prerequisite step. Disabling user enumeration via the REST API can reduce exploitability.
  • ·Version 5.0.12 is only a partial patch; the vulnerability is fully remediated only in version 5.0.13. Detection rules should flag both 5.0.12 and earlier versions as vulnerable.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck9.8CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.