{"api_version":"1","generated_at":"2026-04-17T12:04:45+00:00","cve":"CVE-2024-2472","urls":{"html":"https://cve.report/CVE-2024-2472","api":"https://cve.report/api/cve/CVE-2024-2472.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2024-2472","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2024-2472"},"summary":{"title":"LatePoint Plugin <= 4.9.9 - Missing Authorization and Sensitive Information Exposure via IDOR","description":"The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function in all versions up to and including 4.9.9. This makes it possible for unauthenticated attackers to view other customer's cabinets, including the ability to view PII such as email addresses and to change their LatePoint user password, which may or may not be associated with a WordPress account.","state":"PUBLISHED","assigner":"Wordfence","published_at":"2024-06-14 10:15:09","updated_at":"2026-04-08 18:21:06"},"problem_types":["CWE-639","CWE-639 CWE-639 Authorization Bypass Through User-Controlled Key"],"metrics":[{"version":"3.1","source":"security@wordfence.com","type":"Secondary","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"9.1","severity":"CRITICAL","vector":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","data":{"baseScore":9.1,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/6215fa9f-06bc-4dc8-b1f5-a3bb75749f1d?source=cve","name":"https://www.wordfence.com/threat-intel/vulnerabilities/id/6215fa9f-06bc-4dc8-b1f5-a3bb75749f1d?source=cve","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Third Party Advisory"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://websec.nl/blog/critical-idor-vulnerability-in-latepoint-plugin-exposes-sensitive-data-666b78446e63d6dcdb0f73bf","name":"https://websec.nl/blog/critical-idor-vulnerability-in-latepoint-plugin-exposes-sensitive-data-666b78446e63d6dcdb0f73bf","refsource":"security@wordfence.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://aramhairchitects.nl/","name":"https://aramhairchitects.nl/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Not Applicable"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://wpdocs.latepoint.com/changelog/","name":"https://wpdocs.latepoint.com/changelog/","refsource":"af854a3a-2127-422b-91ae-364da2661108","tags":["Product","Release Notes"],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2024-2472","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-2472","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"latepoint","product":"LatePoint Plugin","version":"affected 4.9.9 semver","platforms":[]},{"source":"ADP","vendor":"latepoint","product":"latepoint_plugin","version":"affected 4.9.9.1 custom","platforms":[]}],"timeline":[{"source":"CNA","time":"2024-06-13T21:00:45.000Z","lang":"en","value":"Disclosed"}],"solutions":[],"workarounds":[],"exploits":[],"credits":[{"source":"CNA","value":"Gharib Sharifi","lang":"en"},{"source":"CNA","value":"Joel Aviad Ossi","lang":"en"}],"nvd_cpes":[{"cve_year":"2024","cve_id":"2472","vulnerable":"1","versionEndIncluding":"","cpe1":"cpe","cpe2":"2.3","cpe3":"a","cpe4":"latepoint","cpe5":"latepoint","cpe6":"*","cpe7":"*","cpe8":"*","cpe9":"*","cpe10":"*","cpe11":"wordpress","cpe12":"*","cpe13":"*"}],"vendor_comments":[],"enrichments":{"kev":null,"epss":null,"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"affected":[{"cpes":["cpe:2.3:a:latepoint:latepoint_plugin:4.9.9:*:*:*:*:*:*:*"],"defaultStatus":"unknown","product":"latepoint_plugin","vendor":"latepoint","versions":[{"lessThan":"4.9.9.1","status":"affected","version":"0","versionType":"custom"}]}],"metrics":[{"other":{"content":{"id":"CVE-2024-2472","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2024-06-14T13:33:28.712445Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2024-06-14T13:35:18.415Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"},{"providerMetadata":{"dateUpdated":"2024-08-01T19:11:53.521Z","orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE"},"references":[{"tags":["x_transferred"],"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/6215fa9f-06bc-4dc8-b1f5-a3bb75749f1d?source=cve"},{"tags":["x_transferred"],"url":"https://aramhairchitects.nl/"},{"tags":["x_transferred"],"url":"https://wpdocs.latepoint.com/changelog/"}],"title":"CVE Program Container"}],"cna":{"affected":[{"defaultStatus":"unaffected","product":"LatePoint Plugin","vendor":"latepoint","versions":[{"lessThanOrEqual":"4.9.9","status":"affected","version":"0","versionType":"semver"}]}],"credits":[{"lang":"en","type":"finder","value":"Gharib Sharifi"},{"lang":"en","type":"finder","value":"Joel Aviad Ossi"}],"descriptions":[{"lang":"en","value":"The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function in all versions up to and including 4.9.9. This makes it possible for unauthenticated attackers to view other customer's cabinets, including the ability to view PII such as email addresses and to change their LatePoint user password, which may or may not be associated with a WordPress account."}],"metrics":[{"cvssV3_1":{"baseScore":9.1,"baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-639","description":"CWE-639 Authorization Bypass Through User-Controlled Key","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-08T16:56:57.971Z","orgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","shortName":"Wordfence"},"references":[{"url":"https://www.wordfence.com/threat-intel/vulnerabilities/id/6215fa9f-06bc-4dc8-b1f5-a3bb75749f1d?source=cve"},{"url":"https://aramhairchitects.nl/"},{"url":"https://wpdocs.latepoint.com/changelog/"},{"url":"https://websec.nl/blog/critical-idor-vulnerability-in-latepoint-plugin-exposes-sensitive-data-666b78446e63d6dcdb0f73bf"}],"timeline":[{"lang":"en","time":"2024-06-13T21:00:45.000Z","value":"Disclosed"}],"title":"LatePoint Plugin <= 4.9.9 - Missing Authorization and Sensitive Information Exposure via IDOR"}},"cveMetadata":{"assignerOrgId":"b15e7b5b-3da4-40ae-a43c-f7aa60e62599","assignerShortName":"Wordfence","cveId":"CVE-2024-2472","datePublished":"2024-06-14T09:36:37.719Z","dateReserved":"2024-03-14T20:16:46.611Z","dateUpdated":"2026-04-08T16:56:57.971Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2024-06-14 10:15:09","lastModifiedDate":"2026-04-08 18:21:06","problem_types":["CWE-639","CWE-639 CWE-639 Authorization Bypass Through User-Controlled Key"],"metrics":{"cvssMetricV31":[{"source":"security@wordfence.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}]},"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:latepoint:latepoint:*:*:*:*:*:wordpress:*:*","versionEndExcluding":"4.9.91","matchCriteriaId":"75F8EEAD-23DD-4963-AD95-5FAE483DD933"}]}]}]},"legacy_mitre":{"record":{"CveYear":"2024","CveId":"2472","Ordinal":"1","Title":"LatePoint Plugin <= 4.9.9 - Missing Authorization and Sensitive ","CVE":"CVE-2024-2472","Year":"2024"},"notes":[{"CveYear":"2024","CveId":"2472","Ordinal":"1","NoteData":"The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function in all versions up to and including 4.9.9. This makes it possible for unauthenticated attackers to view other customer's cabinets, including the ability to view PII such as email addresses and to change their LatePoint user password, which may or may not be associated with a WordPress account.","Type":"Description","Title":"LatePoint Plugin <= 4.9.9 - Missing Authorization and Sensitive "}]}}}