Two critical vulnerabilities in the LatePoint plugin have put thousands of WordPress websites at risk. Over 7000 WordPress sites are actively using the plugin for services and order management.
Wordfence Threat Intelligence team identified an Unauthenticated Arbitrary User Password Change vulnerability in the plugin. An attacker can exploit the vulnerability to change passwords or any user including the administrator. The Authentication Bypass vulnerability allows attackers to gain access to any account including the administrator.
Arbitrary User Password Change was due to insufficient escaping on the user-supplied parameter. This led to an SQL Injection attack. Due to insufficient verification of the user during the booking customer step, the plugin was vulnerable to authentication bypass.
Wordfence team published a detailed analysis of these vulnerabilities for anyone who is interested in learning technical details.
By exploring these vulnerabilities, attackers can take control of a website and change passwords to prevent the original admin from accessing the website.
Wordfence Threat Intelligence team contacted the LatePoint team on September 17, 2024, and received the response on the same day. LatePoint released two patches on September 20, 2024, and September 24, 2024, to fix these vulnerabilities.
Anyone who is using LatePoint Plugin should update the plugin as soon as possible. Websites that use Wordfence Premium, Wordfence Care, and Wordfence Response already received firewall rules to protect against these vulnerabilities. Wordfence free users will receive this update on October 17, 2024.
If you use WordPress, you can read this detailed WordPress security guide to learn how to protect your website. For additional security and peace of mind, you can hire us. We provide WordPress development and security services at an affordable cost.
