CVE-2024-8943

CRITICAL EXPLOITED NUCLEI

LatePoint Plugin <= 5.0.12 - Unauthenticated Authentication Bypass via User ID

Title source: llm

Exploitation Summary

CVE-2024-8943 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.

Description

The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. The vulnerability is partially patched in version 5.0.12 and fully patched in version 5.0.13.

Nuclei Templates (1)

LatePoint <= 5.0.12 - Authentication Bypass

CRITICALVERIFIEDby daffainfo

References (2)

Core 2

Core References

Release Notes

https://wpdocs.latepoint.com/changelog/

Third Party Advisory

https://www.wordfence.com/threat-intel/vulnerabilities/id/bac8c35b-2afa-4347-b86e-2f16db19a4d3?source=cve

Scores

CVSS v3 9.8

EPSS 0.0299

EPSS Percentile 85.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

VulnCheck KEV 2024-10-08

CWE

CWE-306 CWE-288

Status published

Products (2)

latepoint/latepoint < 5.0.13

latepoint/LatePoint Plugin < 5.0.12

Published Oct 08, 2024

Tracked Since Feb 18, 2026