Skip to main content

LatePoint Plugin CVE-2026-11398

| EUVDEUVD-2026-41524 MEDIUM
Missing Authorization (CWE-862)
2026-07-03 Wordfence GHSA-w64h-p64p-r649
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Network-accessible booking form requires no authentication under guest-booking config; only PII integrity is affected with no confidentiality or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 03, 2026 - 09:17 vuln.today
CVE Published
Jul 03, 2026 - 07:53 cve.org
MEDIUM 5.3

DescriptionCVE.org

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the personally identifiable information (first name, last name, phone number, and notes) of any existing customer record, including those linked to administrator accounts, by submitting the booking form with a known customer's email address. Exploitation requires the plugin to be configured with guest bookings enabled (is_customer_auth_disabled() returning true), which is necessary for the vulnerable unauthenticated code path in process_step_customer() to be reached.

AnalysisAI

Authorization bypass in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.1) permits unauthenticated attackers to overwrite customer PII - first name, last name, phone number, and notes - on any existing customer record, including those associated with administrator accounts, by submitting the public booking form with a known or guessed target email address. The attack is gated by a specific non-default plugin configuration (guest bookings enabled), meaningfully narrowing the realistic exposure surface. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with LatePoint guest bookings enabled
Delivery
Enumerate or guess a valid registered customer email address
Exploit
Craft booking form submission with target email and modified PII
Execution
Submit unauthenticated POST to booking step endpoint
Persist
Plugin matches email and overwrites customer record without authorization check
Impact
Target customer PII corrupted in database

Vulnerability AssessmentAI

Exploitation Exploitation requires the LatePoint plugin to be configured with guest bookings enabled - specifically, the internal function `is_customer_auth_disabled()` must return true, which is a deliberate operator-configured setting permitting unauthenticated users to complete bookings without logging in. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor-assigned CVSS 3.1 score of 5.3 Medium (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N) is consistent with the vulnerability's actual scope: integrity-only impact limited to PII field modification, with no confidentiality exposure and no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a WordPress site with LatePoint's guest booking feature enabled enumerates a valid customer email address - obtainable via booking confirmation emails, contact forms, or guessing common patterns - then submits the public-facing LatePoint booking form with that email and arbitrary values in the name, phone, and notes fields. The plugin matches the email to the existing customer record and updates the PII without any authorization check, silently overwriting the legitimate customer's data. …
Remediation Update the LatePoint plugin to a version beyond 5.6.1 as soon as an updated release is published to the WordPress plugin directory; a fix has been committed to the plugin repository as changeset revision 3572632 (https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3572632%40latepoint&new=3572632%40latepoint&sfp_email=&sfph_mail=), though the exact released patched version number has not been independently confirmed from available data - verify against the WordPress.org plugin page. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-11398 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy