Skip to main content

Latepoint EUVDEUVD-2026-15905

| CVE-2026-32533 MEDIUM
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-03-25 Patchstack GHSA-4w94-x732-jcmm
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Mar 25, 2026 - 16:47 euvd
EUVD-2026-15905
Analysis Generated
Mar 25, 2026 - 16:47 vuln.today
CVE Published
Mar 25, 2026 - 16:15 nvd
MEDIUM 6.5

DescriptionCVE.org

Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LatePoint: from n/a through <= 5.2.6.

AnalysisAI

An authorization bypass vulnerability exists in LatePoint versions up to and including 5.2.6 that allows attackers to exploit incorrectly configured access control security levels through user-controlled key manipulation. This Insecure Direct Object Reference (IDOR) vulnerability enables attackers without proper authentication or authorization to access resources they should not have permission to view or modify. The vulnerability affects the LatePoint WordPress plugin and has been documented by Patchstack with proof-of-concept details available, making it a practical exploitation risk for unpatched installations.

Technical ContextAI

The vulnerability is rooted in CWE-639 (Authorization Bypass Through User-Controlled Key), a common access control flaw where applications fail to properly validate user permissions when object references (such as user IDs, appointment IDs, or resource identifiers) are passed as user-controllable parameters. LatePoint, identified by CPE cpe:2.3:a:latepoint:latepoint:*:*:*:*:*:*:*:*, is a WordPress plugin providing scheduling and booking functionality. The plugin fails to implement adequate server-side authorization checks, relying instead on weak or absent validation of user-supplied keys or identifiers. This allows attackers to enumerate or manipulate parameters (such as appointment IDs or customer records) to access data belonging to other users without proper authentication or authorization checks, which is a classic IDOR vulnerability pattern.

RemediationAI

Update LatePoint to a patched version released after 5.2.6, if available from the plugin developer. Visit the official LatePoint documentation and Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/latepoint/vulnerability/wordpress-latepoint-plugin-5-2-6-insecure-direct-object-references-idor-vulnerability) to confirm the latest secure version and deployment instructions. As an interim workaround pending patch availability, restrict access to LatePoint administrative and booking interfaces using a Web Application Firewall (WAF) with rules to detect and block parameter tampering, enforce role-based access controls at the WordPress level, limit API endpoint access to authenticated users only, and implement audit logging on all appointment and resource access. Additionally, consider disabling LatePoint temporarily if not critical until a patched version is released. Database backups should be verified before applying patches to ensure recovery capability.

Share

EUVD-2026-15905 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy