CVE-2024-2472
LatePoint Plugin <= 4.9.9 - Missing Authorization and Sensitive Information Exposure via IDOR
CVSS Score
9.1
EPSS Score
0.0%
EPSS Percentile
0th
The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function in all versions up to and including 4.9.9. This makes it possible for unauthenticated attackers to view other customer's cabinets, including the ability to view PII such as email addresses and to change their LatePoint user password, which may or may not be associated with a WordPress account.
| CWE | CWE-639 |
| Vendor | latepoint |
| Product | latepoint plugin |
| Published | Jun 14, 2024 |
| Last Updated | Apr 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for latepoint latepoint plugin
Be the first to know when new critical vulnerabilities affecting latepoint latepoint plugin are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
latepoint / LatePoint Plugin
0 โค 4.9.9
References
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/6215fa9f-06bc-4dc8-b1f5-a3bb75749f1d?source=cve aramhairchitects.nl: https://aramhairchitects.nl/ wpdocs.latepoint.com: https://wpdocs.latepoint.com/changelog/ websec.nl: https://websec.nl/blog/critical-idor-vulnerability-in-latepoint-plugin-exposes-sensitive-data-666b78446e63d6dcdb0f73bf
Credits
Gharib Sharifi Joel Aviad Ossi