CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8943 – LatePoint <= 5.0.12 - Authentication Bypass
https://notcve.org/view.php?id=CVE-2024-8943
24 Sep 2024 — The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. This is due to insufficient verification on the user being supplied during the booking customer step. This makes it possible for unauthenticated attackers to log in as any existing user on the site, such as an administrator, if they have access to the user id. Note that logging in as a WordPress user is only possible if the "Use WordPress users as customers" setting is enabled, which is disabl... • https://wpdocs.latepoint.com/changelog • CWE-288: Authentication Bypass Using an Alternate Path or Channel •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-8911 – LatePoint <= 5.0.11 - Unauthenticated Arbitrary User Password Change via SQL Injection
https://notcve.org/view.php?id=CVE-2024-8911
20 Sep 2024 — The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note that changing a WordPress user's password is only possible if the "Use WordPress users as customers" setti... • https://wpdocs.latepoint.com/changelog • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43992 – WordPress LatePoint plugin <= 4.9.91 - Cross Site Scripting (XSS) vulnerability
https://notcve.org/view.php?id=CVE-2024-43992
29 Aug 2024 — Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Latepoint LatePoint allows Stored XSS.This issue affects LatePoint: from n/a through 4.9.91. The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 4.9.91 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with subscriber-level access and above, to inject arbitrary web scripts in pa... • https://patchstack.com/database/vulnerability/latepoint/wordpress-latepoint-plugin-4-9-91-cross-site-scripting-xss-vulnerability?_s_id=cve • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2024-43945 – WordPress LatePoint plugin <= 4.9.91 - Cross Site Request Forgery (CSRF) vulnerability
https://notcve.org/view.php?id=CVE-2024-43945
26 Aug 2024 — Cross-Site Request Forgery (CSRF) vulnerability in Latepoint LatePoint allows Cross Site Request Forgery.This issue affects LatePoint: from n/a through 4.9.91. The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to, and including, 4.9.91. This is due to missing or incorrect nonce validation on a function. This makes it possible for unauthenticated attackers to perform an unauthorized action via a forged request granted they can trick a site administrator into perfor... • https://patchstack.com/database/vulnerability/latepoint/wordpress-latepoint-plugin-4-9-91-cross-site-request-forgery-csrf-vulnerability?_s_id=cve • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-2472 – LatePoint Plugin <= 4.9.9 - Missing Authorization and Sensitive Information Exposure via IDOR
https://notcve.org/view.php?id=CVE-2024-2472
13 Jun 2024 — The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function in all versions up to and including 4.9.9. This makes it possible for unauthenticated attackers to view other customer's cabinets, including the ability to view PII such as email addresses and to change their LatePoint user password, which may or may not be associated with a WordPress account. El complemento Late... • https://aramhairchitects.nl • CWE-639: Authorization Bypass Through User-Controlled Key •