Skip to content

LatePoint plugin vulnerabilities affect more than 7,000 websites

  • by
  • 2 min read

LatePoint, a widely used plugin for appointment scheduling installed on more than 7,000 websites was found to have an ‘Unauthenticated Arbitrary User Password Change’ and ‘Authentication Bypass’ vulnerabilities. Attackers can exploit both these flaws to take over administrator accounts and compromise entire websites.

The first vulnerability, CVE-2024-8911, allows attackers to change the password of any user on a WordPress site, including administrators, without needing authentication. This flaw stems from insufficient escaping of user-supplied parameters in the plugin’s SQL queries, which could enable an attacker to inject malicious code.

If the ‘Use WordPress users as customers’ option is enabled, attackers can reset WordPress user passwords, granting them full access to an administrator account and control of the site.

The second flaw, CVE-2024-8943, allows attackers to log in as any user by exploiting insufficient verification during the customer registration. Attackers can supply a WordPress user ID during the booking steps and gain unauthorised access to the corresponding account, including those with administrator privileges.

As with the first flaw, this vulnerability only critically impacts websites where the plugin’s ‘Use WordPress users as customers’ option is enabled.

LatePoint released the initial patch, version 5.0.12, on September 20, 2024, with a full fix rollout on September 24 in version 5.0.13. Researchers have urged users and organisations to update their plugins to version 5.0.13 to avoid potential exploitation.

These vulnerabilities could have severe implications for websites using LatePoint, particularly if attackers gain access to administrative accounts. Once inside, attackers can manipulate site content, upload malicious plugins or themes, and redirect visitors to harmful external sites.

WordPress site owners who use LatePoint with the ‘Use WordPress users as customers’ option enabled are especially vulnerable and should prioritise updating to the latest patched version.

In August, the JS Help Desk plugin, installed on over 5,000 websites, suffered an RCE flaw.

On July 1, four WordPress plugins were hit by a supply chain attack. In June, an Arbitrary Options Update Flaw was reported to have affected over 40,000 Login/Signup Popup plugin installations.

In the News: Microsoft Word bug causes document deletion for some users

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: kumarhemant@pm.me

>