Description
The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.94. This is due to missing nonce validation on the change_password() function of its customer_cabinet__change_password AJAX route. The plugin hooks this endpoint via wp_ajax and wp_ajax_nopriv but does not verify a nonce or user capability before resetting the user’s password. This makes it possible for unauthenticated attackers who trick a logged-in customer (or, with “WP users as customers” enabled, an administrator) into visiting a malicious link to take over their account.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected products
References
- MISChttps://www.wordfence.com/threat-intel/vulnerabilities/id/df8a8ce0-7258-40ae-bf73-f8c6185fdd16?source=cve
- MISChttps://plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/lib/controllers/customer_cabinet_controller.php#L403
- MISChttps://wordpress.org/plugins/latepoint/#developers
- MISChttps://plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/latepoint.php
- MISChttps://plugins.trac.wordpress.org/changeset/3366851/latepoint/tags/5.2.0/lib/controllers/customer_cabinet_controller.php