Search

Find a vulnerability

Search criteria

    46 vulnerabilities found for LatePoint – Calendar Booking Plugin for Appointments and Events by latepoint

    CVE-2026-12657 (GCVE-0-2026-12657)

    Vulnerability from nvd – Published: 2026-07-02 08:33 – Updated: 2026-07-02 12:37
    VLAI
    Title
    LatePoint <= 5.6.2 - Unauthenticated Insecure Direct Object Reference to Arbitrary Creation via 'service_id' Parameter
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'service_id' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    gidget smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12657",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T12:37:41.638345Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T12:37:48.368Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "gidget smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the \u0027service_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T08:33:04.988Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09588c2a-1631-4924-8277-d47f096493c5?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1202"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/steps_controller.php#L341"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/steps_controller.php#L244"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1710"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1618"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1202"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/steps_controller.php#L341"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/steps_controller.php#L244"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1710"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1618"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3584059%40latepoint\u0026new=3584059%40latepoint\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-18T19:04:30.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-01T20:02:14.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.6.2 - Unauthenticated Insecure Direct Object Reference to Arbitrary Creation via \u0027service_id\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-12657",
        "datePublished": "2026-07-02T08:33:04.988Z",
        "dateReserved": "2026-06-18T18:49:07.840Z",
        "dateUpdated": "2026-07-02T12:37:48.368Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13228 (GCVE-0-2026-13228)

    Vulnerability from nvd – Published: 2026-07-01 09:32 – Updated: 2026-07-01 15:33
    VLAI
    Title
    LatePoint <= 5.6.3 - Authenticated (Custom+) Privilege Escalation to Administrator via 'order[customer_id]' Parameter
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function of OsOrdersController, which allows an authenticated Agent to supply an arbitrary order[customer_id] and overwrite any LatePoint customer's email field (including one linked to a WordPress Administrator's account) through the public-scope customer set_data() call, combined with a missing role verification in OsAuthHelper::authorize_customer() which logs in the linked WordPress user without checking its role. This makes it possible for authenticated attackers, with custom (Agent)-level access and above, to elevate their privileges to Administrator.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Credits
    d.v4n_s3c
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13228",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:33:15.747907Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:33:25.338Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.6.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "d.v4n_s3c"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function of OsOrdersController, which allows an authenticated Agent to supply an arbitrary order[customer_id] and overwrite any LatePoint customer\u0027s email field (including one linked to a WordPress Administrator\u0027s account) through the public-scope customer set_data() call, combined with a missing role verification in OsAuthHelper::authorize_customer() which logs in the linked WordPress user without checking its role. This makes it possible for authenticated attackers, with custom (Agent)-level access and above, to elevate their privileges to Administrator."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T09:32:28.123Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f9db3b8-dd37-4d8b-b041-50b453858a39?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/orders_controller.php#L127"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/orders_controller.php#L137"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/auth_helper.php#L256"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/orders_controller.php#L112"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3590914/latepoint/trunk/lib/controllers/orders_controller.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Flatepoint/tags/5.6.3\u0026new_path=%2Flatepoint/tags/5.6.4"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-24T16:59:08.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-30T21:30:37.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.6.3 - Authenticated (Custom+) Privilege Escalation to Administrator via \u0027order[customer_id]\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-13228",
        "datePublished": "2026-07-01T09:32:28.123Z",
        "dateReserved": "2026-06-24T16:43:26.354Z",
        "dateUpdated": "2026-07-01T15:33:25.338Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8176 (GCVE-0-2026-8176)

    Vulnerability from nvd – Published: 2026-06-16 09:31 – Updated: 2026-06-16 14:53
    VLAI
    Title
    LatePoint <= 5.5.1 - Authenticated (Agent+) Privilege Escalation to Administrator via IDOR in OsOrdersController::create_or_update + Unauthenticated Customer-Cabinet Password Reset
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Credits
    The Hao
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8176",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-16T14:53:43.085689Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-16T14:53:59.949Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.5.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "The Hao"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator\u0027s password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T09:31:33.620Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8d5bb6c-2021-4fc0-bede-8da1c3fb591a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/orders_controller.php#L124"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/orders_controller.php#L124"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/orders_controller.php#L100"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/orders_controller.php#L100"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/models/customer_model.php#L427"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/models/customer_model.php#L322"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/models/customer_model.php#L322"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php#L491"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/customer_cabinet_controller.php#L491"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php#L415"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/customer_cabinet_controller.php#L415"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/customer_helper.php#L253"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/helpers/customer_helper.php#L253"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customers_controller.php#L342"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/customers_controller.php#L342"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/models/customer_model.php#L322"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.php#L491"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.php#L415"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/customer_helper.php#L253"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customers_controller.php#L342"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3531832%40latepoint\u0026old=3522933%40latepoint\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-08T15:28:32.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-15T20:57:10.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.5.1 - Authenticated (Agent+) Privilege Escalation to Administrator via IDOR in OsOrdersController::create_or_update + Unauthenticated Customer-Cabinet Password Reset"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-8176",
        "datePublished": "2026-06-16T09:31:33.620Z",
        "dateReserved": "2026-05-08T15:11:03.312Z",
        "dateUpdated": "2026-06-16T14:53:59.949Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9719 (GCVE-0-2026-9719)

    Vulnerability from nvd – Published: 2026-06-05 23:28 – Updated: 2026-06-06 11:49
    VLAI
    Title
    LatePoint <= 5.6.0 - Cross-Site Request Forgery via invoices__change_status Action
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the change_status function. This makes it possible for unauthenticated attackers to change the status of arbitrary invoices — including marking unpaid invoices as paid — without administrator consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    Kirasec
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9719",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-06T11:39:16.874639Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-06T11:49:03.864Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.6.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kirasec"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the change_status function. This makes it possible for unauthenticated attackers to change the status of arbitrary invoices \u2014 including marking unpaid invoices as paid \u2014 without administrator consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T23:28:27.182Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c720fffe-c089-450a-ac5f-1138c1c223d9?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.0/lib/helpers/params_helper.php#L12"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.0/lib/controllers/invoices_controller.php#L246"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.0/lib/controllers/invoices_controller.php#L234"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.0/lib/helpers/params_helper.php#L12"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.0/lib/controllers/invoices_controller.php#L246"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.0/lib/controllers/invoices_controller.php#L234"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3553094/latepoint"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-27T16:21:18.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-05T11:05:15.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.6.0 - Cross-Site Request Forgery via invoices__change_status Action"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-9719",
        "datePublished": "2026-06-05T23:28:27.182Z",
        "dateReserved": "2026-05-27T16:06:09.857Z",
        "dateUpdated": "2026-06-06T11:49:03.864Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5365 (GCVE-0-2026-5365)

    Vulnerability from nvd – Published: 2026-05-14 06:44 – Updated: 2026-05-14 10:44
    VLAI
    Title
    LatePoint <= 5.3.2 - Cross-Site Request Forgery via 'customer_cabinet__request_cancellation' AJAX Route
    Summary
    The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request_cancellation() function. This makes it possible for unauthenticated attackers to cancel a logged-in customer's bookings via a forged request, granted they can trick the customer into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    Battulga
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5365",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T10:40:43.638203Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T10:44:28.705Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.3.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Battulga"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request_cancellation() function. This makes it possible for unauthenticated attackers to cancel a logged-in customer\u0027s bookings via a forged request, granted they can trick the customer into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-14T06:44:11.886Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6a9285fb-fc4e-4ea4-89d5-f376f03c54a4?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3505127/latepoint/tags/5.4.0/lib/controllers/customer_cabinet_controller.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-10T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-04-01T18:19:29.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-13T17:41:32.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.3.2 - Cross-Site Request Forgery via \u0027customer_cabinet__request_cancellation\u0027 AJAX Route"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5365",
        "datePublished": "2026-05-14T06:44:11.886Z",
        "dateReserved": "2026-04-01T18:03:07.898Z",
        "dateUpdated": "2026-05-14T10:44:28.705Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7652 (GCVE-0-2026-7652)

    Vulnerability from nvd – Published: 2026-05-09 02:25 – Updated: 2026-05-12 02:20
    VLAI
    Title
    LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism
    Summary
    The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow's ability to overwrite an existing customer's email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
    Assigner
    Impacted products
    Credits
    Michael Iden
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7652",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T02:20:10.480690Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T02:20:23.717Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Michael Iden"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer\u0027s email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow\u0027s ability to overwrite an existing customer\u0027s email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-640",
                  "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-09T02:25:39.060Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdaa32cd-a148-4554-9fd5-f5b0a5b2d1c3?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1940"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/customer_helper.php#L238"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/latepoint.php#L1165"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/latepoint.php#L1165"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/steps_helper.php#L1972"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1972"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/steps_helper.php#L1940"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1940"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/customer_helper.php#L238"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/customer_helper.php#L238"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/latepoint.php#L1165"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1972"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3522933/latepoint/trunk/latepoint.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Flatepoint/tags/5.5.0\u0026new_path=%2Flatepoint/tags/5.5.1"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-01T18:12:32.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-08T14:16:05.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7652",
        "datePublished": "2026-05-09T02:25:39.060Z",
        "dateReserved": "2026-05-01T17:56:49.365Z",
        "dateUpdated": "2026-05-12T02:20:23.717Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7457 (GCVE-0-2026-7457)

    Vulnerability from nvd – Published: 2026-05-06 06:47 – Updated: 2026-05-06 12:58
    VLAI
    Title
    LatePoint <= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update
    Summary
    The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database — combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator's or agent's browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7457",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T12:58:14.362612Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T12:58:22.624Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint \u2014 where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database \u2014 combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator\u0027s or agent\u0027s browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T06:47:21.090Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/628b3f53-decd-47ac-a2d1-339ade1e6944?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/misc/process_action.php#L606"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/misc/process_action.php#L606"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php#L318"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.php#L318"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/replacer_helper.php#L276"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/replacer_helper.php#L276"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/misc/process_action.php#L606"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/controllers/customer_cabinet_controller.php#L318"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/helpers/replacer_helper.php#L276"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3522933%40latepoint%2Ftrunk\u0026old=3516282%40latepoint%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-29T17:51:01.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-05T18:29:59.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7457",
        "datePublished": "2026-05-06T06:47:21.090Z",
        "dateReserved": "2026-04-29T17:35:25.264Z",
        "dateUpdated": "2026-05-06T12:58:22.624Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7448 (GCVE-0-2026-7448)

    Vulnerability from nvd – Published: 2026-05-06 06:47 – Updated: 2026-05-08 12:25
    VLAI

    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.

    Show details on NVD website

    {
      "containers": {
        "cna": {
          "providerMetadata": {
            "dateUpdated": "2026-05-08T12:25:55.615Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "rejectedReasons": [
            {
              "lang": "en",
              "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage."
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7448",
        "datePublished": "2026-05-06T06:47:21.950Z",
        "dateRejected": "2026-05-08T12:25:55.615Z",
        "dateReserved": "2026-04-29T17:02:49.595Z",
        "dateUpdated": "2026-05-08T12:25:55.615Z",
        "state": "REJECTED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7332 (GCVE-0-2026-7332)

    Vulnerability from nvd – Published: 2026-05-06 06:47 – Updated: 2026-05-06 18:54
    VLAI
    Title
    LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'booking_form_page_url' Parameter
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Ly Hoang
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7332",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T18:53:55.612415Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T18:54:33.336Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ly Hoang"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027booking_form_page_url\u0027 parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T06:47:21.566Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c03ddcf0-6955-4645-b311-c3833ca61455?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/activities_controller.php#L214"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/activities_controller.php#L214"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L260"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/stripe_connect_controller.php#L260"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/activities_helper.php#L83"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/activities_helper.php#L83"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/activities_controller.php#L214"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/stripe_connect_controller.php#L260"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/activities_helper.php#L83"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3522933%40latepoint%2Ftrunk\u0026old=3516282%40latepoint%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-29T17:19:06.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-05T18:41:45.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via \u0027booking_form_page_url\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7332",
        "datePublished": "2026-05-06T06:47:21.566Z",
        "dateReserved": "2026-04-28T19:33:39.123Z",
        "dateUpdated": "2026-05-06T18:54:33.336Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6741 (GCVE-0-2026-6741)

    Vulnerability from nvd – Published: 2026-04-27 19:36 – Updated: 2026-04-28 14:49
    VLAI
    Title
    LatePoint <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Credits
    Valase Paul Chirita Catalin-Andrei Ramon Mateas
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6741",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-28T14:48:57.895047Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-28T14:49:46.116Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.4.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Valase Paul"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Chirita Catalin-Andrei"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Ramon Mateas"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator\u0027s WordPress account and subsequently reset the administrator\u0027s password via the normal customer password-reset flow, resulting in full site takeover."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-27T19:36:46.601Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71e99412-031e-4f4a-9126-dd3a37975246?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/abilities/customers/connect-customer-to-wp-user.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/models/customer_model.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/roles_helper.php"
            },
            {
              "url": "https://wordpress.org/plugins/latepoint/"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3514330/latepoint"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T11:22:31.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-27T07:23:53.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via \u0027connect-customer-to-wp-user\u0027 Ability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-6741",
        "datePublished": "2026-04-27T19:36:46.601Z",
        "dateReserved": "2026-04-21T11:06:48.322Z",
        "dateUpdated": "2026-04-28T14:49:46.116Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5234 (GCVE-0-2026-5234)

    Vulnerability from nvd – Published: 2026-04-17 03:36 – Updated: 2026-04-17 18:38
    VLAI
    Title
    LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID
    Summary
    The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    darkestmode
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5234",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T18:38:28.386411Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T18:38:40.183Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.3.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "darkestmode"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T03:36:44.618Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afec4c8c-a18d-4907-8879-2412f8a1abed?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L31"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L31"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L33"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L33"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L50"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L50"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L20"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L20"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3505127/latepoint/trunk/lib/controllers/stripe_connect_controller.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-31T14:20:32.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-16T15:19:09.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5234",
        "datePublished": "2026-04-17T03:36:44.618Z",
        "dateReserved": "2026-03-31T14:05:18.117Z",
        "dateUpdated": "2026-04-17T18:38:40.183Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4785 (GCVE-0-2026-4785)

    Vulnerability from nvd – Published: 2026-04-08 03:36 – Updated: 2026-04-08 16:53
    VLAI
    Title
    LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the 'items' parameter is set to 'bundles'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Djaidja Moundjid
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4785",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-08T14:13:09.433553Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-08T14:14:28.780Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.3.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Djaidja Moundjid"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027button_caption\u0027 parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the \u0027items\u0027 parameter is set to \u0027bundles\u0027. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:53:33.655Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55c5c094-69c0-4e2a-be0c-fab6f1039309?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcodes_helper.php#L272"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/shortcodes_helper.php#L272"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcodes_helper.php#L40"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/shortcodes_helper.php#L40"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3491516/latepoint"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-24T17:47:11.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-07T15:17:40.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-4785",
        "datePublished": "2026-04-08T03:36:09.316Z",
        "dateReserved": "2026-03-24T17:31:49.689Z",
        "dateUpdated": "2026-04-08T16:53:33.655Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2324 (GCVE-0-2026-2324)

    Vulnerability from nvd – Published: 2026-03-11 01:22 – Updated: 2026-04-08 17:16
    VLAI
    Title
    LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    Lukasz Sobanski
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2324",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-11T15:38:28.401773Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-11T15:39:47.543Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.2.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lukasz Sobanski"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:16:43.909Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3ae93da-57ee-4966-83af-b8c57f9ad7d9?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3463945/latepoint"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-10T23:39:18.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-03-10T11:29:15.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events \u003c= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-2324",
        "datePublished": "2026-03-11T01:22:04.469Z",
        "dateReserved": "2026-02-10T23:23:38.273Z",
        "dateUpdated": "2026-04-08T17:16:43.909Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1487 (GCVE-0-2026-1487)

    Vulnerability from nvd – Published: 2026-03-03 01:21 – Updated: 2026-04-08 17:29
    VLAI
    Title
    LatePoint <= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insufficient validation on the user-supplied JSON data. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary SQL queries on the database that can be used to extract information via time-based techniques, drop tables, or modify data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    Chiao-Lin Yu
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1487",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-03T15:57:18.083203Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T16:06:59.020Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.2.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Chiao-Lin Yu"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insufficient validation on the user-supplied JSON data.  This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary SQL queries on the database that can be used to extract information via time-based techniques, drop tables, or modify data."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:29:02.092Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1bbd339-5eb7-4a62-9c68-bcd76507425c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3463945/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-23T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-01-27T13:56:44.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-03-02T11:25:27.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1487",
        "datePublished": "2026-03-03T01:21:51.239Z",
        "dateReserved": "2026-01-27T13:40:10.237Z",
        "dateUpdated": "2026-04-08T17:29:02.092Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1566 (GCVE-0-2026-1566)

    Vulnerability from nvd – Published: 2026-03-02 23:22 – Updated: 2026-04-08 17:21
    VLAI
    Title
    LatePoint <= 5.2.7 - Authenticated (Agent+) Privilege Escalation
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the 'wordpress_user_id' field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Credits
    Hung Nguyen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1566",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-03T01:52:05.848759Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T01:52:20.828Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.2.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hung Nguyen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the \u0027wordpress_user_id\u0027 field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:21:48.917Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c958880e-6068-4e7d-a780-1251f3ab9bf7?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3463945/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-23T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-01-28T20:52:12.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-03-02T11:03:51.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.2.7 - Authenticated (Agent+) Privilege Escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1566",
        "datePublished": "2026-03-02T23:22:55.673Z",
        "dateReserved": "2026-01-28T20:18:56.426Z",
        "dateUpdated": "2026-04-08T17:21:48.917Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-12657 (GCVE-0-2026-12657)

    Vulnerability from cvelistv5 – Published: 2026-07-02 08:33 – Updated: 2026-07-02 12:37
    VLAI
    Title
    LatePoint <= 5.6.2 - Unauthenticated Insecure Direct Object Reference to Arbitrary Creation via 'service_id' Parameter
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'service_id' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    gidget smith
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-12657",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-02T12:37:41.638345Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-02T12:37:48.368Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.6.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "gidget smith"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the \u0027service_id\u0027 parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-02T08:33:04.988Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/09588c2a-1631-4924-8277-d47f096493c5?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1202"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/steps_controller.php#L341"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/steps_controller.php#L244"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1710"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/steps_helper.php#L1618"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1202"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/steps_controller.php#L341"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/controllers/steps_controller.php#L244"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1710"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.2/lib/helpers/steps_helper.php#L1618"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026old=3584059%40latepoint\u0026new=3584059%40latepoint\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-18T19:04:30.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-07-01T20:02:14.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.6.2 - Unauthenticated Insecure Direct Object Reference to Arbitrary Creation via \u0027service_id\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-12657",
        "datePublished": "2026-07-02T08:33:04.988Z",
        "dateReserved": "2026-06-18T18:49:07.840Z",
        "dateUpdated": "2026-07-02T12:37:48.368Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-13228 (GCVE-0-2026-13228)

    Vulnerability from cvelistv5 – Published: 2026-07-01 09:32 – Updated: 2026-07-01 15:33
    VLAI
    Title
    LatePoint <= 5.6.3 - Authenticated (Custom+) Privilege Escalation to Administrator via 'order[customer_id]' Parameter
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function of OsOrdersController, which allows an authenticated Agent to supply an arbitrary order[customer_id] and overwrite any LatePoint customer's email field (including one linked to a WordPress Administrator's account) through the public-scope customer set_data() call, combined with a missing role verification in OsAuthHelper::authorize_customer() which logs in the linked WordPress user without checking its role. This makes it possible for authenticated attackers, with custom (Agent)-level access and above, to elevate their privileges to Administrator.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Credits
    d.v4n_s3c
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-13228",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-01T15:33:15.747907Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-01T15:33:25.338Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.6.3",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "d.v4n_s3c"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function of OsOrdersController, which allows an authenticated Agent to supply an arbitrary order[customer_id] and overwrite any LatePoint customer\u0027s email field (including one linked to a WordPress Administrator\u0027s account) through the public-scope customer set_data() call, combined with a missing role verification in OsAuthHelper::authorize_customer() which logs in the linked WordPress user without checking its role. This makes it possible for authenticated attackers, with custom (Agent)-level access and above, to elevate their privileges to Administrator."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-01T09:32:28.123Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8f9db3b8-dd37-4d8b-b041-50b453858a39?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/orders_controller.php#L127"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/orders_controller.php#L137"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/helpers/auth_helper.php#L256"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.2/lib/controllers/orders_controller.php#L112"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3590914/latepoint/trunk/lib/controllers/orders_controller.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Flatepoint/tags/5.6.3\u0026new_path=%2Flatepoint/tags/5.6.4"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-24T16:59:08.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-30T21:30:37.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.6.3 - Authenticated (Custom+) Privilege Escalation to Administrator via \u0027order[customer_id]\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-13228",
        "datePublished": "2026-07-01T09:32:28.123Z",
        "dateReserved": "2026-06-24T16:43:26.354Z",
        "dateUpdated": "2026-07-01T15:33:25.338Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-8176 (GCVE-0-2026-8176)

    Vulnerability from cvelistv5 – Published: 2026-06-16 09:31 – Updated: 2026-06-16 14:53
    VLAI
    Title
    LatePoint <= 5.5.1 - Authenticated (Agent+) Privilege Escalation to Administrator via IDOR in OsOrdersController::create_or_update + Unauthenticated Customer-Cabinet Password Reset
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Credits
    The Hao
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-8176",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-16T14:53:43.085689Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-16T14:53:59.949Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.5.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "The Hao"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator\u0027s password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.5,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-16T09:31:33.620Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8d5bb6c-2021-4fc0-bede-8da1c3fb591a?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/orders_controller.php#L124"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/orders_controller.php#L124"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/orders_controller.php#L100"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/orders_controller.php#L100"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/models/customer_model.php#L427"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/models/customer_model.php#L322"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/models/customer_model.php#L322"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php#L491"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/customer_cabinet_controller.php#L491"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php#L415"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/customer_cabinet_controller.php#L415"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/customer_helper.php#L253"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/helpers/customer_helper.php#L253"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customers_controller.php#L342"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/customers_controller.php#L342"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/models/customer_model.php#L322"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.php#L491"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.php#L415"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/customer_helper.php#L253"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customers_controller.php#L342"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3531832%40latepoint\u0026old=3522933%40latepoint\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-08T15:28:32.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-15T20:57:10.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.5.1 - Authenticated (Agent+) Privilege Escalation to Administrator via IDOR in OsOrdersController::create_or_update + Unauthenticated Customer-Cabinet Password Reset"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-8176",
        "datePublished": "2026-06-16T09:31:33.620Z",
        "dateReserved": "2026-05-08T15:11:03.312Z",
        "dateUpdated": "2026-06-16T14:53:59.949Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-9719 (GCVE-0-2026-9719)

    Vulnerability from cvelistv5 – Published: 2026-06-05 23:28 – Updated: 2026-06-06 11:49
    VLAI
    Title
    LatePoint <= 5.6.0 - Cross-Site Request Forgery via invoices__change_status Action
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the change_status function. This makes it possible for unauthenticated attackers to change the status of arbitrary invoices — including marking unpaid invoices as paid — without administrator consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    Kirasec
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-9719",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-06T11:39:16.874639Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-06T11:49:03.864Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.6.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Kirasec"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the change_status function. This makes it possible for unauthenticated attackers to change the status of arbitrary invoices \u2014 including marking unpaid invoices as paid \u2014 without administrator consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-05T23:28:27.182Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c720fffe-c089-450a-ac5f-1138c1c223d9?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.0/lib/helpers/params_helper.php#L12"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.0/lib/controllers/invoices_controller.php#L246"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.0/lib/controllers/invoices_controller.php#L234"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.6.0/lib/helpers/params_helper.php#L12"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.0/lib/controllers/invoices_controller.php#L246"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.0/lib/controllers/invoices_controller.php#L234"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3553094/latepoint"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-27T16:21:18.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-06-05T11:05:15.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.6.0 - Cross-Site Request Forgery via invoices__change_status Action"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-9719",
        "datePublished": "2026-06-05T23:28:27.182Z",
        "dateReserved": "2026-05-27T16:06:09.857Z",
        "dateUpdated": "2026-06-06T11:49:03.864Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5365 (GCVE-0-2026-5365)

    Vulnerability from cvelistv5 – Published: 2026-05-14 06:44 – Updated: 2026-05-14 10:44
    VLAI
    Title
    LatePoint <= 5.3.2 - Cross-Site Request Forgery via 'customer_cabinet__request_cancellation' AJAX Route
    Summary
    The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request_cancellation() function. This makes it possible for unauthenticated attackers to cancel a logged-in customer's bookings via a forged request, granted they can trick the customer into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    Battulga
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5365",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-14T10:40:43.638203Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-14T10:44:28.705Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.3.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Battulga"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request_cancellation() function. This makes it possible for unauthenticated attackers to cancel a logged-in customer\u0027s bookings via a forged request, granted they can trick the customer into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-14T06:44:11.886Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/6a9285fb-fc4e-4ea4-89d5-f376f03c54a4?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3505127/latepoint/tags/5.4.0/lib/controllers/customer_cabinet_controller.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-10T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-04-01T18:19:29.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-13T17:41:32.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.3.2 - Cross-Site Request Forgery via \u0027customer_cabinet__request_cancellation\u0027 AJAX Route"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5365",
        "datePublished": "2026-05-14T06:44:11.886Z",
        "dateReserved": "2026-04-01T18:03:07.898Z",
        "dateUpdated": "2026-05-14T10:44:28.705Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7652 (GCVE-0-2026-7652)

    Vulnerability from cvelistv5 – Published: 2026-05-09 02:25 – Updated: 2026-05-12 02:20
    VLAI
    Title
    LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism
    Summary
    The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow's ability to overwrite an existing customer's email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-640 - Weak Password Recovery Mechanism for Forgotten Password
    Assigner
    Impacted products
    Credits
    Michael Iden
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7652",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-12T02:20:10.480690Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-12T02:20:23.717Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Michael Iden"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer\u0027s email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow\u0027s ability to overwrite an existing customer\u0027s email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-640",
                  "description": "CWE-640 Weak Password Recovery Mechanism for Forgotten Password",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-09T02:25:39.060Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/bdaa32cd-a148-4554-9fd5-f5b0a5b2d1c3?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1940"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/customer_helper.php#L238"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/latepoint.php#L1165"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/latepoint.php#L1165"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/steps_helper.php#L1972"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1972"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/steps_helper.php#L1940"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1940"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/customer_helper.php#L238"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/customer_helper.php#L238"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/latepoint.php#L1165"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1972"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3522933/latepoint/trunk/latepoint.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?old_path=%2Flatepoint/tags/5.5.0\u0026new_path=%2Flatepoint/tags/5.5.1"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-05-01T18:12:32.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-08T14:16:05.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7652",
        "datePublished": "2026-05-09T02:25:39.060Z",
        "dateReserved": "2026-05-01T17:56:49.365Z",
        "dateUpdated": "2026-05-12T02:20:23.717Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7448 (GCVE-0-2026-7448)

    Vulnerability from cvelistv5 – Published: 2026-05-06 06:47 – Updated: 2026-05-08 12:25
    VLAI

    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.

    Show details on NVD website

    {
      "containers": {
        "cna": {
          "providerMetadata": {
            "dateUpdated": "2026-05-08T12:25:55.615Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "rejectedReasons": [
            {
              "lang": "en",
              "value": "** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage."
            }
          ]
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7448",
        "datePublished": "2026-05-06T06:47:21.950Z",
        "dateRejected": "2026-05-08T12:25:55.615Z",
        "dateReserved": "2026-04-29T17:02:49.595Z",
        "dateUpdated": "2026-05-08T12:25:55.615Z",
        "state": "REJECTED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7332 (GCVE-0-2026-7332)

    Vulnerability from cvelistv5 – Published: 2026-05-06 06:47 – Updated: 2026-05-06 18:54
    VLAI
    Title
    LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'booking_form_page_url' Parameter
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.
    SSVC
    Exploitation: none Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Ly Hoang
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7332",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T18:53:55.612415Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T18:54:33.336Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Ly Hoang"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027booking_form_page_url\u0027 parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 7.2,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T06:47:21.566Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c03ddcf0-6955-4645-b311-c3833ca61455?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/activities_controller.php#L214"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/activities_controller.php#L214"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L260"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/stripe_connect_controller.php#L260"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/activities_helper.php#L83"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/activities_helper.php#L83"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/activities_controller.php#L214"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/stripe_connect_controller.php#L260"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/activities_helper.php#L83"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3522933%40latepoint%2Ftrunk\u0026old=3516282%40latepoint%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-29T17:19:06.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-05T18:41:45.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via \u0027booking_form_page_url\u0027 Parameter"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7332",
        "datePublished": "2026-05-06T06:47:21.566Z",
        "dateReserved": "2026-04-28T19:33:39.123Z",
        "dateUpdated": "2026-05-06T18:54:33.336Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-7457 (GCVE-0-2026-7457)

    Vulnerability from cvelistv5 – Published: 2026-05-06 06:47 – Updated: 2026-05-06 12:58
    VLAI
    Title
    LatePoint <= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update
    Summary
    The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database — combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator's or agent's browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Niv Kochan
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-7457",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-05-06T12:58:14.362612Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-05-06T12:58:22.624Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.5.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Niv Kochan"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint \u2014 where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database \u2014 combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator\u0027s or agent\u0027s browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-05-06T06:47:21.090Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/628b3f53-decd-47ac-a2d1-339ade1e6944?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/misc/process_action.php#L606"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/misc/process_action.php#L606"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php#L318"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.php#L318"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/replacer_helper.php#L276"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/replacer_helper.php#L276"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/misc/process_action.php#L606"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/controllers/customer_cabinet_controller.php#L318"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/helpers/replacer_helper.php#L276"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=\u0026sfph_mail=\u0026reponame=\u0026new=3522933%40latepoint%2Ftrunk\u0026old=3516282%40latepoint%2Ftrunk\u0026sfp_email=\u0026sfph_mail="
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-29T17:51:01.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-05-05T18:29:59.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-7457",
        "datePublished": "2026-05-06T06:47:21.090Z",
        "dateReserved": "2026-04-29T17:35:25.264Z",
        "dateUpdated": "2026-05-06T12:58:22.624Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-6741 (GCVE-0-2026-6741)

    Vulnerability from cvelistv5 – Published: 2026-04-27 19:36 – Updated: 2026-04-28 14:49
    VLAI
    Title
    LatePoint <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Credits
    Valase Paul Chirita Catalin-Andrei Ramon Mateas
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-6741",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-28T14:48:57.895047Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-28T14:49:46.116Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.4.1",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Valase Paul"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Chirita Catalin-Andrei"
            },
            {
              "lang": "en",
              "type": "finder",
              "value": "Ramon Mateas"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator\u0027s WordPress account and subsequently reset the administrator\u0027s password via the normal customer password-reset flow, resulting in full site takeover."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-27T19:36:46.601Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71e99412-031e-4f4a-9126-dd3a37975246?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/abilities/customers/connect-customer-to-wp-user.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/models/customer_model.php"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/roles_helper.php"
            },
            {
              "url": "https://wordpress.org/plugins/latepoint/"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3514330/latepoint"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-04-21T11:22:31.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-27T07:23:53.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via \u0027connect-customer-to-wp-user\u0027 Ability"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-6741",
        "datePublished": "2026-04-27T19:36:46.601Z",
        "dateReserved": "2026-04-21T11:06:48.322Z",
        "dateUpdated": "2026-04-28T14:49:46.116Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-5234 (GCVE-0-2026-5234)

    Vulnerability from cvelistv5 – Published: 2026-04-17 03:36 – Updated: 2026-04-17 18:38
    VLAI
    Title
    LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID
    Summary
    The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-639 - Authorization Bypass Through User-Controlled Key
    Assigner
    Impacted products
    Credits
    darkestmode
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-5234",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-17T18:38:28.386411Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-17T18:38:40.183Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.3.2",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "darkestmode"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "CWE-639 Authorization Bypass Through User-Controlled Key",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-17T03:36:44.618Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afec4c8c-a18d-4907-8879-2412f8a1abed?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L31"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L31"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L33"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L33"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L50"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L50"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L20"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L20"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3505127/latepoint/trunk/lib/controllers/stripe_connect_controller.php"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-31T14:20:32.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-16T15:19:09.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-5234",
        "datePublished": "2026-04-17T03:36:44.618Z",
        "dateReserved": "2026-03-31T14:05:18.117Z",
        "dateUpdated": "2026-04-17T18:38:40.183Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-4785 (GCVE-0-2026-4785)

    Vulnerability from cvelistv5 – Published: 2026-04-08 03:36 – Updated: 2026-04-08 16:53
    VLAI
    Title
    LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the 'items' parameter is set to 'bundles'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
    Assigner
    Impacted products
    Credits
    Djaidja Moundjid
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-4785",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-04-08T14:13:09.433553Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-04-08T14:14:28.780Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.3.0",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Djaidja Moundjid"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the \u0027button_caption\u0027 parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the \u0027items\u0027 parameter is set to \u0027bundles\u0027. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.4,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T16:53:33.655Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55c5c094-69c0-4e2a-be0c-fab6f1039309?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcodes_helper.php#L272"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/shortcodes_helper.php#L272"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcodes_helper.php#L40"
            },
            {
              "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/shortcodes_helper.php#L40"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3491516/latepoint"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-03-24T17:47:11.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-04-07T15:17:40.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-4785",
        "datePublished": "2026-04-08T03:36:09.316Z",
        "dateReserved": "2026-03-24T17:31:49.689Z",
        "dateUpdated": "2026-04-08T16:53:33.655Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-2324 (GCVE-0-2026-2324)

    Vulnerability from cvelistv5 – Published: 2026-03-11 01:22 – Updated: 2026-04-08 17:16
    VLAI
    Title
    LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-352 - Cross-Site Request Forgery (CSRF)
    Assigner
    Impacted products
    Credits
    Lukasz Sobanski
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-2324",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-11T15:38:28.401773Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-11T15:39:47.543Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.2.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Lukasz Sobanski"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-352",
                  "description": "CWE-352 Cross-Site Request Forgery (CSRF)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:16:43.909Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3ae93da-57ee-4966-83af-b8c57f9ad7d9?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3463945/latepoint"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-02-10T23:39:18.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-03-10T11:29:15.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events \u003c= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-2324",
        "datePublished": "2026-03-11T01:22:04.469Z",
        "dateReserved": "2026-02-10T23:23:38.273Z",
        "dateUpdated": "2026-04-08T17:16:43.909Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1487 (GCVE-0-2026-1487)

    Vulnerability from cvelistv5 – Published: 2026-03-03 01:21 – Updated: 2026-04-08 17:29
    VLAI
    Title
    LatePoint <= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insufficient validation on the user-supplied JSON data. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary SQL queries on the database that can be used to extract information via time-based techniques, drop tables, or modify data.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
    Assigner
    Impacted products
    Credits
    Chiao-Lin Yu
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1487",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-03T15:57:18.083203Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T16:06:59.020Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.2.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Chiao-Lin Yu"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insufficient validation on the user-supplied JSON data.  This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary SQL queries on the database that can be used to extract information via time-based techniques, drop tables, or modify data."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 6.5,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "CWE-89 Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:29:02.092Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e1bbd339-5eb7-4a62-9c68-bcd76507425c?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3463945/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-23T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-01-27T13:56:44.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-03-02T11:25:27.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1487",
        "datePublished": "2026-03-03T01:21:51.239Z",
        "dateReserved": "2026-01-27T13:40:10.237Z",
        "dateUpdated": "2026-04-08T17:29:02.092Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-1566 (GCVE-0-2026-1566)

    Vulnerability from cvelistv5 – Published: 2026-03-02 23:22 – Updated: 2026-04-08 17:21
    VLAI
    Title
    LatePoint <= 5.2.7 - Authenticated (Agent+) Privilege Escalation
    Summary
    The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the 'wordpress_user_id' field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password.
    SSVC
    Exploitation: none Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-269 - Improper Privilege Management
    Assigner
    Impacted products
    Credits
    Hung Nguyen
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-1566",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-03-03T01:52:05.848759Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-03-03T01:52:20.828Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "defaultStatus": "unaffected",
              "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
              "vendor": "latepoint",
              "versions": [
                {
                  "lessThanOrEqual": "5.2.7",
                  "status": "affected",
                  "version": "0",
                  "versionType": "semver"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "finder",
              "value": "Hung Nguyen"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the \u0027wordpress_user_id\u0027 field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password."
            }
          ],
          "metrics": [
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
                "version": "3.1"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-269",
                  "description": "CWE-269 Improper Privilege Management",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-04-08T17:21:48.917Z",
            "orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
            "shortName": "Wordfence"
          },
          "references": [
            {
              "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c958880e-6068-4e7d-a780-1251f3ab9bf7?source=cve"
            },
            {
              "url": "https://plugins.trac.wordpress.org/changeset/3463945/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-01-23T00:00:00.000Z",
              "value": "Discovered"
            },
            {
              "lang": "en",
              "time": "2026-01-28T20:52:12.000Z",
              "value": "Vendor Notified"
            },
            {
              "lang": "en",
              "time": "2026-03-02T11:03:51.000Z",
              "value": "Disclosed"
            }
          ],
          "title": "LatePoint \u003c= 5.2.7 - Authenticated (Agent+) Privilege Escalation"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599",
        "assignerShortName": "Wordfence",
        "cveId": "CVE-2026-1566",
        "datePublished": "2026-03-02T23:22:55.673Z",
        "dateReserved": "2026-01-28T20:18:56.426Z",
        "dateUpdated": "2026-04-08T17:21:48.917Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }