Worldfence reports critical flaws in LatePoint WordPress plugin
Take action: If you are using LatePoint Wordpress plugin, update to latest version ASAP. The plugin is exposed to the internet by design, so an attacker will immediately see it and can exploit the flaws.
Learn More
Wordfence has identified and disclosed two critical vulnerabilities affecting the LatePoint plugin for WordPress, which is estimated to be active on over 7,000 websites. These vulnerabilities could allow unauthenticated attackers to gain control of affected sites. The flaws include:
- CVE-2024-8911 (CVSS score 9.8) - Unauthenticated Arbitrary User Password Change - This vulnerability allows an unauthenticated attacker to change the password of any user, including administrator accounts, through a SQL injection exploit. By leveraging this flaw, attackers can effectively reset passwords and take control of targeted sites. The issue stems from improper handling of the password_reset_token parameter during SQL queries, allowing for injection.
- Affected Versions: LatePoint <= 5.0.11
- Fully patched in LatePoint version 5.0.12. Users should ensure they update to this version or newer.
- CVE-2024-8943 (CVSS score 9.8) - Authentication Bypass - This flaw allows attackers to bypass authentication and access any user account, including those with administrative privileges, by exploiting weaknesses in the process_step_customer() function. Attackers can supply any user ID during registration, which results in unauthorized access to user accounts.
- Affected Versions: LatePoint <= 5.0.12
- Fully patched in LatePoint version 5.0.13. Users should update to this version to secure their sites.
Site administrators using the LatePoint plugin should immediately update to version 5.0.13 or later to ensure protection.
