Wordfence published an advisory on a vulnerability in the LatePoint – Calendar Booking WordPress Plugin that makes it possible for authenticated attackers with Agent-level access and above to gain higher level privileges. The vulnerability received a CVSS vulnerability threat score of 8.8/10. The issue affects all versions up to and including 5.2.7.
LatePoint WordPress Calendar Plugin
The LatePoint WordPress plugin is used by service-based businesses to enable customers to book appointments online, manage calendars, accept payments, and send confirmations.
Authenticated (Agent+) Privilege Escalation
The vulnerability requires authentication. Attackers must have an account with the LatePoint Agent role or higher. Agent is not an administrator role. It is typically assigned to staff who manage bookings and customer records. On affected sites, that level of access is enough to exploit the flaw.
The vulnerability is due to the plugin allowing users with a LatePoint Agent role, when creating new customers, to set the wordpress_user_id field. The wordpress_user_id field links a LatePoint customer record to a WordPress user account.
The plugin does not restrict which WordPress user ID can be assigned. Because of this, an Agent can create a customer and link it to any existing WordPress user account, including an administrator account. After linking the account, the Agent can reset the password.
According to Wordfence:
“The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the ‘wordpress_user_id’ field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password.”
What Attackers Can Do
This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to an arbitrary user ID and then resetting that user’s password.
Affected Versions And Patch
The vulnerability affects all versions up to and including 5.2.7. The issue has been patched in version 5.2.8. Users of the LatePoint plugin should update to version 5.2.8 or a newer version.
Featured Image by Shutterstock/breakermaximus
