Critical severity9.1NVD Advisory· Published Jun 14, 2024· Updated Apr 8, 2026

CVE-2024-2472

Description

The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function in all versions up to and including 4.9.9. This makes it possible for unauthenticated attackers to view other customer's cabinets, including the ability to view PII such as email addresses and to change their LatePoint user password, which may or may not be associated with a WordPress account.

Affected products

Latepoint/Latepoint
cpe:2.3:a:latepoint:latepoint:*:*:*:*:*:wordpress:*:*
Range: <4.9.91

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.wordfence.com/threat-intel/vulnerabilities/id/6215fa9f-06bc-4dc8-b1f5-a3bb75749f1dnvdThird Party Advisory
aramhairchitects.nlnvdNot Applicable
wpdocs.latepoint.com/changelog/nvdProductRelease Notes
websec.nl/blog/critical-idor-vulnerability-in-latepoint-plugin-exposes-sensitive-data-666b78446e63d6dcdb0f73bfnvd

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000