Skip to main content

LatePoint Booking Plugin CVE-2026-12657

| EUVDEUVD-2026-41261 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-02 Wordfence GHSA-p2v5-84j7-pc37
5.3
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
vuln.today AI
5.3 MEDIUM

Unauthenticated network exploitation with no complexity barriers; only integrity is impacted through unauthorized booking creation, with no confidentiality or availability consequence.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 02, 2026 - 10:20 vuln.today
CVE Published
Jul 02, 2026 - 08:33 cve.org
MEDIUM 5.3

DescriptionCVE.org

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'service_id' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication.

AnalysisAI

Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress (all versions ≤ 5.6.2) enables unauthenticated attackers to create approved bookings against services explicitly restricted to administrators and agents. The bypass operates through two publicly accessible booking step endpoints that accept a user-controlled service identifier without validating the requester's authorization to book that service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify WordPress site with LatePoint plugin installed
Delivery
Enumerate restricted service IDs via sequential presets[selected_service] values
Exploit
Submit crafted POST to public steps__start or steps__load_step endpoint
Execution
Plugin processes booking without authorization check
Persist
Approved booking created for admin/agent-only service
Impact
Restricted appointment capacity consumed and unauthorized booking notifications triggered

Vulnerability AssessmentAI

Exploitation No authentication is required - CVSS PR:N confirms the vulnerable endpoints are accessible to any unauthenticated visitor. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 5.3 Medium score reflects the constrained integrity-only impact (C:N/I:L/A:N) despite a fully unauthenticated, network-accessible, zero-complexity attack path. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker sends sequential POST requests to the publicly accessible steps__start endpoint, incrementing the presets[selected_service] integer parameter to enumerate service IDs until responses indicate a restricted admin/agent-only service. The attacker then completes the booking workflow through steps__load_step using the identified restricted service_id, causing the plugin to create an approved booking and consume capacity on the restricted service without any WordPress login or plugin account. …
Remediation Update the LatePoint plugin to a version above 5.6.2 as soon as a patched release is confirmed available. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12657 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy