Login Sign Up

CVE-2024-8911

9.8 CRITICAL
SQL Injection Authentication Bypass

📋 TL;DR

This SQL injection vulnerability in the LatePoint WordPress plugin allows unauthenticated attackers to change user passwords. It affects versions up to 5.0.11 when the 'Use WordPress users as customers' setting is enabled. Attackers could potentially take over administrator accounts and compromise websites.

💻 Affected Systems

Products:
  • LatePoint WordPress Plugin
Versions: Up to and including 5.0.11
Operating Systems: Any OS running WordPress
Default Config Vulnerable: ✅ No
Notes: Vulnerability requires 'Use WordPress users as customers' setting enabled to affect WordPress user passwords. By default, only plugin customer passwords in separate tables are vulnerable.

📦 What is this software?

Latepoint by Latepoint

View all CVEs affecting Latepoint →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete site takeover via administrator account compromise leading to data theft, malware installation, and website defacement.

🟠

Likely Case

Unauthenticated attackers change passwords for plugin customers or WordPress users (if setting enabled), gaining unauthorized access to accounts.

🟢

If Mitigated

With proper controls and default configuration, only plugin customer passwords in separate tables are vulnerable, limiting impact.

🌐 Internet-Facing: HIGH
🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

SQL injection vulnerabilities are commonly weaponized. The unauthenticated nature and high CVSS score make this attractive to attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.0.12 or later

Vendor Advisory: https://wpdocs.latepoint.com/changelog/

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find LatePoint plugin. 4. Click 'Update Now' if update available. 5. If no update available, download version 5.0.12+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable WordPress Users as Customers

all

Disable the vulnerable setting to prevent WordPress user password changes

Temporary Plugin Deactivation

linux

Deactivate LatePoint plugin until patched

wp plugin deactivate latepoint

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) with SQL injection rules
  • Restrict access to WordPress admin area using IP whitelisting

🔍 How to Verify

Check if Vulnerable:

Check LatePoint plugin version in WordPress admin → Plugins → Installed Plugins

Check Version:

wp plugin get latepoint --field=version

Verify Fix Applied:

Verify LatePoint plugin version is 5.0.12 or higher

📡 Detection & Monitoring

Log Indicators:

  • Unusual SQL queries in database logs
  • Multiple failed login attempts followed by successful login from new IP
  • Password reset requests for admin accounts

Network Indicators:

  • POST requests to LatePoint endpoints with SQL injection patterns
  • Unusual traffic to /wp-content/plugins/latepoint/

SIEM Query:

source="wordpress" AND (uri_path="*latepoint*" AND (query_string="*SELECT*" OR query_string="*UPDATE*" OR query_string="*UNION*"))

📊 Metadata

CVE ID: CVE-2024-8911
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-89
Published: October 8, 2024
Last Updated: February 20, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-8911, you might also want to check these:

CVE-2024-8522 10.0

This vulnerability allows unauthenticated attackers to perform SQL injection attacks on WordPress si...

Same vulnerability type (CWE-89)
CVE-2024-13152 10.0

This SQL injection vulnerability in BSS Software's Mobuy Online Machinery Monitoring Panel allows at...

Same vulnerability type (CWE-89)
CVE-2021-42311 10.0

CVE-2021-42311 is a critical SQL injection vulnerability in Microsoft Defender for IoT that allows r...

Same vulnerability type (CWE-89)