CVE-2024-8911: 
WordPress vulnerability analysis and mitigation

The LatePoint plugin for WordPress contains a critical SQL Injection vulnerability (CVE-2024-8911) in versions up to and including 5.0.11. The vulnerability allows unauthenticated attackers to perform arbitrary user password changes due to insufficient escaping of user-supplied parameters and inadequate SQL query preparation. This vulnerability is particularly impactful when the 'Use WordPress users as customers' setting is enabled, though it's disabled by default (NVD).

The vulnerability has been assigned a CVSS v3.1 score of 9.8 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue stems from improper input validation and SQL query preparation, allowing attackers to manipulate user passwords through SQL injection. The vulnerability is classified as CWE-89: Improper Neutralization of Special Elements used in an SQL Command (NVD).

When exploited, this vulnerability enables unauthenticated attackers to change user passwords and potentially gain administrative access to WordPress installations. If the 'Use WordPress users as customers' setting is enabled, attackers can modify WordPress user passwords. Even with this setting disabled, attackers can still modify passwords of plugin customers stored in a separate database table (NVD).

The vulnerability has been patched in version 5.0.12 of the LatePoint plugin. Site administrators are strongly advised to update to this version or later immediately. The fix addresses the SQL injection vulnerability by properly escaping user input and implementing proper SQL query preparation (LatePoint Changelog).