9.1
CVE-2024-2472
- EPSS 1.76%
- Veröffentlicht 14.06.2024 10:15:09
- Zuletzt bearbeitet 20.02.2025 15:28:10
- Quelle security@wordfence.com
- CVE-Watchlists
- Unerledigt
LoginLatePoint Plugin <= 4.9.9 - Missing Authorization and Sensitive Information Exposure via IDOR
The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function in all versions up to and including 4.9.9. This makes it possible for unauthenticated attackers to view other customer's cabinets, including the ability to view PII such as email addresses and to change their LatePoint user password, which may or may not be associated with a WordPress account.
Mögliche Gegenmaßnahme
LatePoint Plugin: Update to version 4.9.9.1, or a newer patched version
Weitere Schwachstelleninformationen
SystemWordPress Plugin
≫
Produkt
LatePoint Plugin
Version
*-4.9.9
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 1.76% | 0.82 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@wordfence.com | 9.1 | 3.9 | 5.2 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.