Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Network-accessible booking form requires no authentication under guest-booking config; only PII integrity is affected with no confidentiality or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the personally identifiable information (first name, last name, phone number, and notes) of any existing customer record, including those linked to administrator accounts, by submitting the booking form with a known customer's email address. Exploitation requires the plugin to be configured with guest bookings enabled (is_customer_auth_disabled() returning true), which is necessary for the vulnerable unauthenticated code path in process_step_customer() to be reached.
AnalysisAI
Authorization bypass in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.1) permits unauthenticated attackers to overwrite customer PII - first name, last name, phone number, and notes - on any existing customer record, including those associated with administrator accounts, by submitting the public booking form with a known or guessed target email address. The attack is gated by a specific non-default plugin configuration (guest bookings enabled), meaningfully narrowing the realistic exposure surface. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the LatePoint plugin to be configured with guest bookings enabled - specifically, the internal function `is_customer_auth_disabled()` must return true, which is a deliberate operator-configured setting permitting unauthenticated users to complete bookings without logging in. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor-assigned CVSS 3.1 score of 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) is consistent with the vulnerability's actual scope: integrity-only impact limited to PII field modification, with no confidentiality exposure and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting a WordPress site with LatePoint's guest booking feature enabled enumerates a valid customer email address - obtainable via booking confirmation emails, contact forms, or guessing common patterns - then submits the public-facing LatePoint booking form with that email and arbitrary values in the name, phone, and notes fields. The plugin matches the email to the existing customer record and updates the PII without any authorization check, silently overwriting the legitimate customer's data. … |
| Remediation | Update the LatePoint plugin to a version beyond 5.6.1 as soon as an updated release is published to the WordPress plugin directory; a fix has been committed to the plugin repository as changeset revision 3572632 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3572632%40latepoint&new=3572632%40latepoint&sfp_email=&sfph_mail=), though the exact released patched version number has not been independently confirmed from available data - verify against the WordPress.org plugin page. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Privilege escalation to Administrator in the LatePoint booking plugin for WordPress (versions up to and including 5.6.3)
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Esca
Privilege escalation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.5.1) allows
Payment amount manipulation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.4.0)
Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress (all versions ≤ 5.6.2) enables unaut
Cross-Site Request Forgery in the LatePoint WordPress booking plugin (all versions ≤ 5.3.2) allows unauthenticated attac
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-41524
GHSA-w64h-p64p-r649