CVE-2024-8911

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') (CWE-89)

Published: Oct 8, 2024 / Updated: 42d ago

010
CVSS 9.8EPSS 0.09%Critical
CVE info copied to clipboard

Summary

The LatePoint plugin for WordPress contains a vulnerability allowing Arbitrary User Password Change via SQL Injection in versions up to and including 5.0.11. This vulnerability stems from insufficient escaping of user-supplied parameters and inadequate preparation of existing SQL queries. As a result, unauthenticated attackers can potentially change user passwords, including those of administrator accounts.

Impact

The impact of this vulnerability is severe. Unauthenticated attackers can potentially change user passwords, including those of administrator accounts. This could lead to unauthorized access to WordPress sites, complete takeover of administrator accounts, and subsequent compromise of the entire website. The attacker could then perform various malicious actions such as modifying content, stealing sensitive information, or using the compromised site for further attacks.

Exploitation

There is no evidence that a public proof-of-concept exists. There is no evidence of proof of exploitation at the moment.

Patch

A patch is not explicitly mentioned in the provided information. However, given that the vulnerability affects versions up to and including 5.0.11 of the LatePoint plugin, it is likely that versions after 5.0.11 have addressed this issue. The security team should check for updates to the LatePoint plugin and ensure they are running a version newer than 5.0.11.

Mitigation

1. Update the LatePoint plugin to a version newer than 5.0.11 if available. 2. If the "Use WordPress users as customers" setting is enabled, consider disabling it as it is not enabled by default. This limits the vulnerability's impact to only affect plugin customers rather than WordPress users. 3. Implement strong input validation and sanitization for all user inputs, especially those used in SQL queries. 4. Use prepared statements or parameterized queries to prevent SQL injection attacks. 5. Regularly audit and update all WordPress plugins, themes, and core installations. 6. Implement the principle of least privilege for all user accounts. 7. Enable and configure Web Application Firewall (WAF) rules to detect and block SQL injection attempts.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Timeline

First Article

Feedly found the first article mentioning CVE-2024-8911. See article

Oct 8, 2024 at 8:44 AM / Vulners.com RSS Feed
CVSS Estimate

Feedly estimated the CVSS score as HIGH

Oct 8, 2024 at 8:44 AM
CVE Assignment

NVD published the first details for CVE-2024-8911

Oct 8, 2024 at 9:15 AM
CVSS

A CVSS base score of 9.8 has been assigned.

Oct 8, 2024 at 9:21 AM / nvd
EPSS

EPSS Score was set to: 0.09% (Percentile: 39.7%)

Oct 9, 2024 at 10:30 AM
Static CVE Timeline Graph

Affected Systems

Latepoint/latepoint
+null more

Attack Patterns

CAPEC-108: Command Line Execution through SQL Injection
+null more

References

7,000 WordPress Sites Affected by Unauthenticated Critical Vulnerabilities in LatePoint WordPress Plugin
On September 17, 2024, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for two critical vulnerabilities in the LatePoint plugin, which is estimated to be actively installed on more than 7,000 WordPress websites. The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11.
7,000 WordPress Sites Affected by Unauthenticated Critical Vulnerabilities in LatePoint WordPress Plugin
On September 17, 2024, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for two critical vulnerabilities in the LatePoint plugin, which is estimated to be actively installed on more than 7,000 WordPress websites. The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11.

News

Web Application Detections Published in October 2024
In October, Qualys released QIDs targeting vulnerabilities in several widely used software products, including WordPress, Zohocorp ManageEngine Endpoint, Lobe Chat, Ivanti Virtual Traffic Manager (vTM), Traefik, Nginx Proxy Manager, Harbor, Haproxy, SolarWinds Access Rights Manager (ARM), Cacti, Ivanti Endpoint Manager Mobile (EPMM), JetBrains TeamCity, Palo Alto Networks Expedition, Progress Telerik Report Server, Zimbra, Oracle WebLogic Server, Apache Solr, FlatPress CMS, pgAdmin, Grafana, pfSense, SolarWinds Web Help Desk, Ivanti Avalanche, ReCrystallize Server, Joomla!, and PHP. The QIDs released to detect the vulnerabilities in the frameworks above are listed below. Details about the following QIDs can be found in our knowledge base. Please review reports of the scanned applications for these detections and, if any are identified follow the steps provided in the knowledge base to ensure applications are protected against the reported vulnerabilities. QID Title 152202 Zohocorp ManageEngine Endpoint Central Incorrect Authorization Vulnerability (CVE-2024-38868) 152206 WordPress Delicious Recipe Plugin: Arbitrary File Movement and Reading Vulnerability (CVE-2024-7626) 152207 WordPress Simple Spoiler Plugin: Arbitrary Shortcode Execution Vulnerability (CVE-2024-8479) 152209 WordPress PropertyHive Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-8490) 152210 WordPress Share This Image Plugin: Open Redirect Vulnerability (CVE-2024-8761) 152215 WordPress infolinks Ad Wrap Plugin: Cross-Site Request Forgery Vulnerability (CVE-2024-8044) 152216 WordPress Bit File Manager Plugin:
Vulnerability Notice – Adobe, Gitlab, Latepoint plugin (Wordpress), Oracle, Telerik Report Server
Gitlab has released a security update to address a critical-severity vulnerability (CVE-2024-9164) in GitLab EE affecting all versions starting from 12.5 prior to 17.2.9, starting from 17.3, prior to 17.3.5, and starting from 17.4 prior to 17.4.2, which allows running pipelines on arbitrary branches. LatePoint plugin for WordPress has been updated to address two critical-severity vulnerabilities affecting versions up to and including 5.0.12.
Worldfence reports critical flaws in LatePoint WordPress plugin
CVE-2024-8911 (CVSS score 9.8) - Unauthenticated Arbitrary User Password Change - This vulnerability allows an unauthenticated attacker to change the password of any user, including administrator accounts, through a SQL injection exploit. CVE-2024-8943 (CVSS score 9.8) - Authentication Bypass - This flaw allows attackers to bypass authentication and access any user account, including those with administrative privileges, by exploiting weaknesses in the process_step_customer() function.
CVE-2024-8911
Critical Severity Description The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to change user passwords and potentially take over administrator accounts. Note that changing a WordPress user's password is only possible if the "Use WordPress users as customers" setting is enabled, which is disabled by default. Without this setting enabled, only the passwords of plugin customers, which are stored and managed in a separate database table, can be modified. Read more at https://www.tenable.com/cve/CVE-2024-8911
CVE-2024-8911 | LatePoint Plugin up to 5.0.11 on WordPress Setting sql injection
A vulnerability classified as critical was found in LatePoint Plugin up to 5.0.11 on WordPress. This vulnerability affects unknown code of the component Setting Handler . The manipulation leads to sql injection. This vulnerability was named CVE-2024-8911 . The attack can be initiated remotely. There is no exploit available. It is recommended to upgrade the affected component.
See 10 more articles and social media posts

CVSS V3.1

Attack Vector:Network
Attack Complexity:Low
Privileges Required:None
User Interaction:None
Scope:Unchanged
Confidentiality:High
Integrity:High
Availability Impact:High

Categories

Be the first to know about critical vulnerabilities

Collect, analyze, and share vulnerability reports faster using AI