CVE-2024-2472

CRITICAL

LatePoint Plugin <4.9.9 - Info Disclosure

Title source: llm

Description

The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function in all versions up to and including 4.9.9. This makes it possible for unauthenticated attackers to view other customer's cabinets, including the ability to view PII such as email addresses and to change their LatePoint user password, which may or may not be associated with a WordPress account.

References (4)

Core 4

Core References

https://websec.nl/blog/critical-idor-vulnerability-in-latepoint-plugin-exposes-sensitive-data-666b78446e63d6dcdb0f73bf

Not Applicable

https://aramhairchitects.nl/

Product, Release Notes

https://wpdocs.latepoint.com/changelog/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/6215fa9f-06bc-4dc8-b1f5-a3bb75749f1d?source=cve

Scores

CVSS v3 9.1

EPSS 0.0176

EPSS Percentile 82.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-639

Status published

Products (2)

latepoint/latepoint < 4.9.91

latepoint/LatePoint Plugin < 4.9.9

Published Jun 14, 2024

Tracked Since Feb 18, 2026