The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice.
The LatePoint WordPress plugin versions up to 5.3.2 contain an Insecure Direct Object Reference vulnerability in the Stripe payment handler that allows unauthenticated attackers to enumerate invoices and create unauthorized transaction records. Attackers can access sensitive financial data including invoice IDs, customer information, and charge amounts without proper authentication or authorization checks.
يحتوي مكون LatePoint للووردبريس على ثغرة وصول مباشر غير آمن في معالج الدفع بـ Stripe حيث يتم تحميل الفواتير بناءً على معرفات متسلسلة دون التحقق من الملكية أو المصادقة. يمكن للمهاجمين غير المصرح لهم تعداد معرفات الفواتير الصحيحة والوصول إلى بيانات مالية حساسة تشمل معرفات العملاء والمبالغ المالية. الثغرة تؤثر على جميع الإصدارات حتى 5.3.2 وتتطلب تحديثاً فورياً.
The LatePoint WordPress plugin versions up to 5.3.2 contain an Insecure Direct Object Reference vulnerability in the Stripe payment handler that allows unauthenticated attackers to enumerate invoices and create unauthorized transaction records. Attackers can access sensitive financial data including invoice IDs, customer information, and charge amounts without proper authentication or authorization checks.
Update the LatePoint plugin to version 5.3.3 or later immediately. Implement authentication checks on the OsStripeConnectController::create_payment_intent_for_transaction action. Add access_key verification similar to other invoice controllers. Disable the plugin if immediate patching is not possible. Review transaction logs for unauthorized access attempts.
قم بتحديث مكون LatePoint إلى الإصدار 5.3.3 أو أحدث فوراً. قم بتنفيذ فحوصات المصادقة على إجراء OsStripeConnectController::create_payment_intent_for_transaction. أضف التحقق من access_key مشابهاً لمتحكمات الفواتير الأخرى. عطّل المكون إذا لم يكن التصحيح الفوري ممكناً. راجع سجلات المعاملات للكشف عن محاولات الوصول غير المصرح به.