Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
3DescriptionCVE.org
Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LatePoint: from n/a through <= 5.2.6.
AnalysisAI
An authorization bypass vulnerability exists in LatePoint versions up to and including 5.2.6 that allows attackers to exploit incorrectly configured access control security levels through user-controlled key manipulation. This Insecure Direct Object Reference (IDOR) vulnerability enables attackers without proper authentication or authorization to access resources they should not have permission to view or modify. The vulnerability affects the LatePoint WordPress plugin and has been documented by Patchstack with proof-of-concept details available, making it a practical exploitation risk for unpatched installations.
Technical ContextAI
The vulnerability is rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), a common access control flaw where applications fail to properly validate user permissions when object references (such as user IDs, appointment IDs, or resource identifiers) are passed as user-controllable parameters. LatePoint, identified by CPE cpe:2.3:a:latepoint:latepoint:*:*:*:*:*:*:*:*, is a WordPress plugin providing scheduling and booking functionality. The plugin fails to implement adequate server-side authorization checks, relying instead on weak or absent validation of user-supplied keys or identifiers. This allows attackers to enumerate or manipulate parameters (such as appointment IDs or customer records) to access data belonging to other users without proper authentication or authorization checks, which is a classic IDOR vulnerability pattern.
RemediationAI
Update LatePoint to a patched version released after 5.2.6, if available from the plugin developer. Visit the official LatePoint documentation and Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/latepoint/vulnerability/wordpress-latepoint-plugin-5-2-6-insecure-direct-object-references-idor-vulnerability) to confirm the latest secure version and deployment instructions. As an interim workaround pending patch availability, restrict access to LatePoint administrative and booking interfaces using a Web Application Firewall (WAF) with rules to detect and block parameter tampering, enforce role-based access controls at the WordPress level, limit API endpoint access to authenticated users only, and implement audit logging on all appointment and resource access. Additionally, consider disabling LatePoint temporarily if not critical until a patched version is released. Database backups should be verified before applying patches to ensure recovery capability.
The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. Rate
The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to,
The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a
Blind SQL injection in the LatePoint WordPress appointment-booking plugin (versions up to and including 5.6.3) lets remo
Cross-Site Request Forgery (CSRF) vulnerability in Latepoint LatePoint allows Cross Site Request Forgery.9.91. Rated hig
Privilege escalation in the LatePoint WordPress plugin versions 5.5.1 and earlier allows authenticated users holding low
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Latepoint L
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-15905
GHSA-4w94-x732-jcmm