LatePoint WordPress Plugin Insecure Direct Object Reference Vulnerability Allowing Unauthorized Access to Financial Data

A vulnerability allowing insecure direct object reference (IDOR) has been identified in the LatePoint WordPress plugin, affecting all versions through 5.3.2. The issue arises in the OsStripeConnectController's 'create_payment_intent_for_transaction' action, which is publicly accessible without authentication. This action retrieves invoices using sequential integer IDs, lacking proper access verification. In contrast, other related actions in the OsInvoicesController require a cryptographic UUID access key. As a result, unauthenticated attackers can exploit this vulnerability to enumerate valid invoice IDs, create unauthorized transaction intent records containing sensitive financial information (such as invoice ID, order ID, customer ID, and charge amount), and, on sites with Stripe Connect enabled, access leaked Stripe payment intent client secret tokens, transaction intent keys, and payment amounts for any invoice.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive financial data, including invoice details and Stripe payment information, on affected WordPress sites.

Reproduction

To reproduce this vulnerability, send a request to the 'create_payment_intent_for_transaction' action without authentication. Include a sequential invoice ID in the request. The absence of access verification will allow the creation of a transaction intent record containing sensitive financial data.

Remediation

Users are advised to update the LatePoint WordPress plugin to version 5.4.0 or later, where this vulnerability has been patched.