CVE-2024-8943
Published: 08 October 2024
Summary
CVE-2024-8943 is a critical-severity Authentication Bypass Using an Alternate Path or Channel (CWE-288) vulnerability in Latepoint Latepoint. Its CVSS base score is 9.8 (Critical).
Operationally, ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
The LatePoint plugin for WordPress is affected by an authentication bypass vulnerability in versions up to and including 5.0.12. The flaw arises from insufficient verification of the supplied user during the booking customer step, enabling unauthenticated access when the optional "Use WordPress users as customers" setting is enabled. The issue is tracked under CWE-288 and CWE-306 and carries a CVSS 3.1 score of 9.8.
Unauthenticated attackers who can obtain a valid user ID can exploit the weakness to log in as any existing account on the site, including administrator accounts. This grants full control over the WordPress instance and any data or functionality accessible to the impersonated user. The attack requires no user interaction and can be performed over the network.
The vendor changelog and Wordfence advisory indicate the vulnerability is only partially addressed in 5.0.12 and fully resolved in 5.0.13; site owners should update to the latest version. The associated EPSS score stands at 0.4006 with no material increase from a lower baseline.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-49500
Vulnerability details
The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers…
more
to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Mandates additional authentication for access under defined conditions, ensuring critical or high-risk functions are not left without authentication.
Identity providers mandate authentication for functions that would otherwise lack it.
Requires authentication for non-organizational users, preventing access to critical functions without proper identification and authentication.
Requires established identification and authentication to unlock, mitigating missing authentication for continued system access.
Requiring identification and rationale for actions allowed without authentication ensures critical functions are not left unprotected by forcing review of authentication requirements.
Authorizing remote access reduces the ability to bypass authentication via unauthorized alternate remote channels.
Authorizing mobile device connections to organizational systems ensures authentication is performed for this critical access function.
Guarantees critical functions are protected by mandatory invocation of the access control mechanism.