Skip to main content

LatePoint Plugin CVE-2026-5365

| EUVDEUVD-2026-30249 MEDIUM
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-05-14 Wordfence GHSA-v39f-vpq3-7925
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 10:56 vuln.today
CVE Published
May 14, 2026 - 06:44 nvd
MEDIUM 4.3

DescriptionCVE.org

The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request_cancellation() function. This makes it possible for unauthenticated attackers to cancel a logged-in customer's bookings via a forged request, granted they can trick the customer into performing an action such as clicking on a link.

AnalysisAI

Cross-Site Request Forgery in the LatePoint WordPress booking plugin (all versions ≤ 5.3.2) allows unauthenticated attackers to cancel a logged-in customer's appointments without consent by delivering a forged HTTP request. The root cause is missing nonce verification in the request_cancellation() function within the customer cabinet controller. EPSS is negligible at 0.02% (7th percentile), SSVC classifies exploitation as none, and no public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

LatePoint is a WordPress calendar and appointment booking plugin (CPE: cpe:2.3:a:latepoint:latepoint_-_calendar_booking_plugin_for_appointments_and_events:*:*:*:*:*:*:*:*). The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) and originates in the request_cancellation() function inside lib/controllers/customer_cabinet_controller.php. WordPress relies on cryptographic nonces to validate that state-changing requests originate from legitimate, same-origin interactions. The absence of nonce verification on this endpoint means the browser will automatically include the authenticated customer's session cookies in any cross-origin POST triggered by a malicious page or link, allowing the action to succeed without the user's knowledge. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N confirms the attack is network-reachable, requires no privileges, but depends entirely on user interaction.

RemediationAI

The primary fix is to upgrade LatePoint to version 5.4.0 or later, which introduces proper nonce verification on the request_cancellation() function, as confirmed by the WordPress plugin Trac changeset 3505127 (https://plugins.trac.wordpress.org/changeset/3505127/latepoint/tags/5.4.0/lib/controllers/customer_cabinet_controller.php). Updates can be applied via the WordPress admin dashboard under Plugins > Installed Plugins. If immediate upgrade is not feasible, a compensating control is to restrict access to the customer cabinet cancellation endpoint via a web application firewall rule that enforces same-origin referrer checks, though this may break legitimate mobile or third-party client flows. Additionally, educating customers about phishing-style social engineering reduces the prerequisite UI:R condition. There are no known trade-offs to the official patch.

Share

CVE-2026-5365 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy