CVE-2024-8943: 
WordPress vulnerability analysis and mitigation

The LatePoint plugin for WordPress contains an authentication bypass vulnerability (CVE-2024-8943) affecting versions up to and including 5.0.12. The vulnerability was discovered and disclosed in September 2024, impacting WordPress installations using the LatePoint booking plugin (Wordfence Advisory).

The vulnerability stems from insufficient verification of user credentials during the booking customer step. This security flaw has been assigned a CVSS v3.1 score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The issue is categorized under CWE-306 (Missing Authentication for Critical Function) and CWE-288 (Authentication Bypass Using an Alternate Path or Channel) (NVD).

The vulnerability allows unauthenticated attackers to log in as any existing user on the site, including administrators, provided they have access to the user ID. This is particularly critical when the 'Use WordPress users as customers' setting is enabled, though this setting is disabled by default (NVD).

The vulnerability has been partially patched in version 5.0.12 and fully patched in version 5.0.13. Site administrators are strongly advised to update to version 5.0.13 or later to fully mitigate this security risk (LatePoint Changelog).