Skip to main content

LatePoint CVE-2026-5356

| EUVDEUVD-2026-42227 HIGH
Missing Authorization (CWE-862)
2026-07-08 Wordfence GHSA-jrp6-4xgv-3wr7
7.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
vuln.today AI
7.5 HIGH

Unauthenticated network checkout endpoint (AV:N/PR:N/UI:N), simple token replay (AC:L); impact is payment-integrity only, so I:H with C:N and A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 08, 2026 - 13:16 vuln.today
CVE Published
Jul 08, 2026 - 12:33 cve.org
HIGH 7.5

DescriptionCVE.org

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 5.4.0. This is due to the plugin's Stripe Connect payment processor accepting a client-supplied PaymentIntent ID. This makes it possible for unauthenticated attackers to pay an arbitrary amount by supplying a previously succeeded PaymentIntent token.

AnalysisAI

Payment amount manipulation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.4.0) lets unauthenticated attackers finalize bookings while paying an arbitrary amount. The Stripe Connect payment processor trusts a client-supplied PaymentIntent ID, so an attacker can replay a previously succeeded PaymentIntent token to satisfy the payment check. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Access public LatePoint booking checkout
Delivery
Obtain a previously succeeded Stripe PaymentIntent token
Exploit
Submit booking with client-supplied PaymentIntent ID
Execution
Plugin trusts token without amount validation
Impact
Confirm booking while paying arbitrary amount

Vulnerability AssessmentAI

Exploitation Exploitation requires the site to have LatePoint (≤5.4.0) configured with the Stripe Connect payment processor enabled for bookings - that specific payment integration is the required feature. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score is 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), reflecting a network-reachable, low-complexity, unauthenticated integrity-only impact - consistent with the description of an unauthenticated attacker manipulating payment amounts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker browses to a WordPress site running LatePoint with Stripe Connect, obtains or reuses a PaymentIntent ID that previously reached 'succeeded' status (for example from a small legitimate payment they made), and submits it during a new booking checkout. Because the plugin validates the client-supplied token instead of a server-created PaymentIntent bound to the order amount, the booking is confirmed while the attacker pays an arbitrary (e.g., trivial or zero-effective) amount. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - the corrective code change is published in WordPress plugin trac changeset 3509569 (https://plugins.trac.wordpress.org/changeset/3509569/latepoint), so administrators should update LatePoint to the latest available release beyond 5.4.0 as distributed through that changeset and review the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/1b1338c4-36a8-47b0-b3cf-c5dc690f8c1c?source=cve). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all WordPress instances running LatePoint; disable the plugin if not operationally critical. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-5356 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy