9.1

CVE-2024-2472

LatePoint Plugin <= 4.9.9 - Missing Authorization and Sensitive Information Exposure via IDOR

LatePoint Plugin <= 4.9.9 - Missing Authorization and Sensitive Information Exposure via IDOR

The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function in all versions up to and including 4.9.9. This makes it possible for unauthenticated attackers to view other customer's cabinets, including the ability to view PII such as email addresses and to change their LatePoint user password, which may or may not be associated with a WordPress account.
Mögliche Gegenmaßnahme
LatePoint Plugin: Update to version 4.9.9.1, or a newer patched version
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
LatepointLatepoint SwPlatformwordpress Version < 4.9.91
Weitere Schwachstelleninformationen
SystemWordPress Plugin
Produkt LatePoint Plugin
Version *-4.9.9
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.62% 0.451
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
security@wordfence.com 9.1 3.9 5.2
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CWE-639 Authorization Bypass Through User-Controlled Key

The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

https://aramhairchitects.nl/
Not Applicable
https://wpdocs.latepoint.com/changelog/
Product
Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/6215fa9f-06bc-4dc8-b1f5-a3bb75749f1d?source=cve
Third Party Advisory
https://websec.nl/blog/critical-idor-vulnerability-in-latepoint-plugin-exposes-sensitive-data-666b78446e63d6dcdb0f73bf
https://www.wordfence.com/threat-intel/vulnerabilities/id/6215fa9f-06bc-4dc8-b1f5-a3bb75749f1d
Third Party Advisory