Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request_cancellation() function. This makes it possible for unauthenticated attackers to cancel a logged-in customer's bookings via a forged request, granted they can trick the customer into performing an action such as clicking on a link.
AnalysisAI
Cross-Site Request Forgery in the LatePoint WordPress booking plugin (all versions ≤ 5.3.2) allows unauthenticated attackers to cancel a logged-in customer's appointments without consent by delivering a forged HTTP request. The root cause is missing nonce verification in the request_cancellation() function within the customer cabinet controller. EPSS is negligible at 0.02% (7th percentile), SSVC classifies exploitation as none, and no public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
LatePoint is a WordPress calendar and appointment booking plugin (CPE: cpe:2.3:a:latepoint:latepoint_-_calendar_booking_plugin_for_appointments_and_events:*:*:*:*:*:*:*:*). The vulnerability is classified as CWE-352 (Cross-Site Request Forgery) and originates in the request_cancellation() function inside lib/controllers/customer_cabinet_controller.php. WordPress relies on cryptographic nonces to validate that state-changing requests originate from legitimate, same-origin interactions. The absence of nonce verification on this endpoint means the browser will automatically include the authenticated customer's session cookies in any cross-origin POST triggered by a malicious page or link, allowing the action to succeed without the user's knowledge. The CVSS vector AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N confirms the attack is network-reachable, requires no privileges, but depends entirely on user interaction.
RemediationAI
The primary fix is to upgrade LatePoint to version 5.4.0 or later, which introduces proper nonce verification on the request_cancellation() function, as confirmed by the WordPress plugin Trac changeset 3505127 (https://plugins.trac.wordpress.org/changeset/3505127/latepoint/tags/5.4.0/lib/controllers/customer_cabinet_controller.php). Updates can be applied via the WordPress admin dashboard under Plugins > Installed Plugins. If immediate upgrade is not feasible, a compensating control is to restrict access to the customer cabinet cancellation endpoint via a web application firewall rule that enforces same-origin referrer checks, though this may break legitimate mobile or third-party client flows. Additionally, educating customers about phishing-style social engineering reduces the prerequisite UI:R condition. There are no known trade-offs to the official patch.
Privilege escalation to Administrator in the LatePoint booking plugin for WordPress (versions up to and including 5.6.3)
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Esca
Privilege escalation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.5.1) allows
Payment amount manipulation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.4.0)
Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress (all versions ≤ 5.6.2) enables unaut
Authorization bypass in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.1) permits unauthe
Same weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30249
GHSA-v39f-vpq3-7925