CVE-2024-2472 – The LatePoint Plugin for WordPress has an autho... (How to Fix)

Q: What is the severity of CVE-2024-2472?

CVE-2024-2472 has a CVSS score of 9.1 (CRITICAL). The LatePoint Plugin for WordPress has an authorization bypass vulnerability that allows unauthenticated attackers to access other customers' personal data and modify their passwords. This affects all WordPress sites using LatePoint Plugin versions up to 4.9.9. Attackers can view sensitive information including email addresses and potentially take over user accounts.

📋 TL;DR

The LatePoint Plugin for WordPress has an authorization bypass vulnerability that allows unauthenticated attackers to access other customers' personal data and modify their passwords. This affects all WordPress sites using LatePoint Plugin versions up to 4.9.9. Attackers can view sensitive information including email addresses and potentially take over user accounts.

💻 Affected Systems

Products:

LatePoint Plugin for WordPress

Versions: All versions up to and including 4.9.9

Operating Systems: All operating systems running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations with LatePoint Plugin enabled, regardless of configuration.

📦 What is this software?

Latepoint by Latepoint

View all CVEs affecting Latepoint →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could compromise all customer accounts, steal sensitive PII data, and potentially gain administrative access if LatePoint passwords are linked to WordPress accounts.

🟠

Likely Case

Unauthenticated attackers accessing customer data including email addresses and modifying passwords, leading to account takeover and privacy violations.

🟢

If Mitigated

Limited impact with proper network segmentation and monitoring, but still exposes sensitive customer data.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability requires no authentication and has a simple exploitation path via direct API calls.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Version 4.9.10 or later

Vendor Advisory: https://wpdocs.latepoint.com/changelog/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find LatePoint Plugin and click 'Update Now'. 4. Verify version is 4.9.10 or higher.

🔧 Temporary Workarounds

Disable LatePoint Plugin

all

Temporarily disable the vulnerable plugin until patching is possible

wp plugin deactivate latepoint

Restrict API Access

linux

Block access to LatePoint API endpoints via web application firewall or .htaccess

# Add to .htaccess:
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/latepoint/.*
RewriteRule ^ - [F]

🧯 If You Can't Patch

Implement strict network access controls to limit who can reach the WordPress site
Enable detailed logging and monitoring for unauthorized access attempts to LatePoint endpoints

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → LatePoint Plugin version. If version is 4.9.9 or lower, you are vulnerable.

Check Version:

wp plugin get latepoint --field=version

Verify Fix Applied:

Confirm LatePoint Plugin version is 4.9.10 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to /wp-admin/admin-ajax.php with action=start_or_use_session_for_customer
Multiple failed authentication attempts followed by successful customer cabinet access

Network Indicators:

Unusual traffic patterns to LatePoint API endpoints from unauthenticated sources

SIEM Query:

source="wordpress.log" AND ("start_or_use_session_for_customer" OR "latepoint") AND status=200 AND user="-"

📊 Metadata

CVE ID: CVE-2024-2472

CVSS v3 Score: 9.1 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-639

Published: June 14, 2024

Last Updated: February 20, 2025

🔗 References

https://aramhairchitects.nl/ Not Applicable
https://wpdocs.latepoint.com/changelog/ Product,Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/6215fa9f-06bc-4dc8-b1f5-a3bb75749f1d?source=cve Third Party Advisory
https://aramhairchitects.nl/ Not Applicable
https://wpdocs.latepoint.com/changelog/ Product,Release Notes
https://www.wordfence.com/threat-intel/vulnerabilities/id/6215fa9f-06bc-4dc8-b1f5-a3bb75749f1d?source=cve Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-2472, you might also want to check these: