Introduction
In a recent security research, a critical vulnerability has been identified in the LatePoint plugin for WordPress, affecting versions up to and including 4.9.9. This vulnerability, categorized under CVE-2024-2472, has been rated with a CVSS score of 9.1 (Critical) due to its severe implications for unauthorized data access and modification. The vulnerability arises from a missing capability check in the start_or_use_session_for_customer
function, which exposes sensitive information and allows unauthorized actions by attackers. The flaw was discovered by security researchers Gharib Sharifi and Joel Aviad Ossi, highlighting the potential risks associated with this plugin.
Vulnerability Description
The LatePoint plugin for WordPress facilitates appointment booking and management. The identified vulnerability is an Insecure Direct Object Reference (IDOR) caused by improper handling of session cookies. Upon booking a service, such as a haircut appointment, the plugin assigns a session cookie to the user. This cookie includes a numeric value that directly correlates to the user's session and their personal information.
The critical issue lies in the modifiable nature of this cookie value. An attacker can manipulate the numeric portion of the cookie (e.g., changing 6606
to 6605
) to gain unauthorized access to other users' sessions. This can lead to the exposure of sensitive personal information, including names, last names, dates of birth, and phone numbers. Additionally, if the website allows appointment management, the attacker could alter, cancel, or create appointments under another user's identity.
Proof of Concept
To demonstrate the vulnerability, consider the following proof of concept:
- User Session Initialization: A user visits a website using the LatePoint plugin and books a service, receiving a session cookie. For instance, a customer named John Doe books an appointment and gets a cookie with the following value:
UserID||Timestamp||Hash
Example value before modification:
5%7C%7C1703097251%7C%7C7c8c3c2ca3e8f499583a474cd292c0767eb4559ae159e5477b8e7340b2eb8295
- Cookie Manipulation: An attacker intercepts and modifies the UserID portion of the cookie value to switch to a different user session. For example, changing
5
to1
:
1%7C%7C1703097251%7C%7C7c8c3c2ca3e8f499583a474cd292c0767eb4559ae159e5477b8e7340b2eb8295
- Unauthorized Access: The attacker refreshes the page, gaining access to the previous data input and appointment management functionalities of the altered user session. This unauthorized access can reveal personal information and allow the attacker to manipulate appointments.
Detailed Research and Impact
The vulnerability was first discovered by Gharib Sharifi and further developed into a full proof-of-concept by Joel Aviad Ossi. Their research demonstrated the potential impact on sensitive payment information (PII), including the exfiltration of credit card details. This collaboration highlighted the severe consequences of this vulnerability, resulting in a critical impact score of 9.1 by Wordfence.
Exploit Explanation
To protect against potential misuse, the exploit script used to demonstrate this vulnerability is not included in this blog. However, the script automates the process of exploiting the IDOR vulnerability to extract sensitive information from the LatePoint plugin. Here is an explanation of its functionality:
Initialization and Setup: The script sets up a session and prompts the user to enter the target website.
Cookie Handling: The script sends a request to the target website to obtain the original session cookie. It then modifies the UserID portion of the cookie to iterate through different user sessions.
Concurrent Execution: Using a thread pool, the script concurrently processes multiple user IDs to speed up the exploitation process.
Data Extraction: For each modified session, the script sends requests to extract sensitive information, including names, email addresses, credit card numbers, expiration dates, and security codes. The extracted data is then saved to a file.
This explanation highlights how an attacker could potentially dump entire databases of sensitive information, including credit card details, by exploiting the vulnerability in the LatePoint plugin.
Remediation
The vulnerability has been patched in version 4.9.9.1 of the LatePoint plugin. Users are strongly advised to update to this version or newer patched versions to mitigate the risk of unauthorized access and data exposure.
- Patched Version: 4.9.9.1
- Affected Versions: <= 4.9.9
Exceptions
The exploit did not work for plugin users when the setting "Use WordPress users as customers" was set to OFF
Conclusion
The discovery and mitigation of the IDOR vulnerability in the LatePoint plugin underscore the critical need for rigorous security checks in software development. This case serves as a reminder of the potential risks associated with insecure session management and the importance of implementing proper capability checks to protect sensitive information. Users of the LatePoint plugin should promptly update to the latest version to safeguard their data and maintain secure operations.
For further details and technical insights, refer to the published reports by the discoverers and the Wordfence Intelligence user interface.