Cyber Resilience

CVE-2024-8943

Critical

Published: 08 October 2024

Published
08 October 2024
Modified
20 February 2025
KEV Added
Patch
CVSS Score v3.1 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.4006 97.4th percentile
Risk Priority 44 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-8943 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Latepoint Latepoint. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

The LatePoint plugin for WordPress is affected by an authentication bypass vulnerability in versions up to and including 5.0.12. The flaw arises from insufficient verification of the supplied user during the booking customer step, enabling unauthenticated access when the optional "Use WordPress users as customers" setting is enabled. The issue is tracked under CWE-288 and CWE-306 and carries a CVSS 3.1 score of 9.8.

Unauthenticated attackers who can obtain a valid user ID can exploit the weakness to log in as any existing account on the site, including administrator accounts. This grants full control over the WordPress instance and any data or functionality accessible to the impersonated user. The attack requires no user interaction and can be performed over the network.

The vendor changelog and Wordfence advisory indicate the vulnerability is only partially addressed in 5.0.12 and fully resolved in 5.0.13; site owners should update to the latest version. The associated EPSS score stands at 0.4006 with no material increase from a lower baseline.

EU & UK References

Vulnerability details

The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers…

more

to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

latepoint
latepoint
≤ 5.0.13

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-306 CWE-288

Mandates additional authentication for access under defined conditions, ensuring critical or high-risk functions are not left without authentication.

addresses: CWE-306 CWE-288

Identity providers mandate authentication for functions that would otherwise lack it.

addresses: CWE-306 CWE-288

Requires authentication for non-organizational users, preventing access to critical functions without proper identification and authentication.

addresses: CWE-306

Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.

addresses: CWE-306

Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.

addresses: CWE-288

Authorizing remote access reduces the ability to bypass authentication via unauthorized alternate remote channels.

addresses: CWE-306

Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.

addresses: CWE-306

Guarantees critical functions are protected by mandatory invocation of the access control mechanism.

References