Skip to main content

Latepoint Calendar Booking Plugin For Appointments And Events

7 CVEs product

Monthly

CVE-2026-5356 HIGH This Week

Payment amount manipulation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.4.0) lets unauthenticated attackers finalize bookings while paying an arbitrary amount. The Stripe Connect payment processor trusts a client-supplied PaymentIntent ID, so an attacker can replay a previously succeeded PaymentIntent token to satisfy the payment check. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-11398 MEDIUM This Month

Authorization bypass in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.1) permits unauthenticated attackers to overwrite customer PII - first name, last name, phone number, and notes - on any existing customer record, including those associated with administrator accounts, by submitting the public booking form with a known or guessed target email address. The attack is gated by a specific non-default plugin configuration (guest bookings enabled), meaningfully narrowing the realistic exposure surface. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
5.3
EPSS
0.3%
CVE-2026-12657 MEDIUM This Month

Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress (all versions ≤ 5.6.2) enables unauthenticated attackers to create approved bookings against services explicitly restricted to administrators and agents. The bypass operates through two publicly accessible booking step endpoints that accept a user-controlled service identifier without validating the requester's authorization to book that service. No public exploit code or CISA KEV listing has been identified, but the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms trivially exploitable, zero-barrier network access against default plugin configurations that utilize service-level access restrictions.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
5.3
EPSS
0.7%
CVE-2026-13228 HIGH This Week

Privilege escalation to Administrator in the LatePoint booking plugin for WordPress (versions up to and including 5.6.3) lets an authenticated Agent-level user hijack any WordPress account by abusing an Insecure Direct Object Reference in OsOrdersController::create_or_update(). By supplying an arbitrary order[customer_id], an attacker overwrites the email of any LatePoint customer - including one tied to a WordPress Administrator - and then logs in as that user because OsAuthHelper::authorize_customer() never checks the linked account's role. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not on CISA KEV, though the root-cause code paths are pinpointed in public plugin source.

Privilege Escalation WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
8.8
EPSS
0.3%
CVE-2026-8176 HIGH This Week

Privilege escalation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.5.1) allows an authenticated user with Agent-level access or higher to chain three independent flaws and overwrite a WordPress Administrator's password without invoking any Administrator-only API. Wordfence-reported flaw with no public exploit identified at time of analysis, though source code locations of all three vulnerable code paths are referenced in the disclosure.

Privilege Escalation WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD VulDB
CVSS 3.1
7.5
EPSS
0.6%
CVE-2026-5365 MEDIUM This Month

Cross-Site Request Forgery in the LatePoint WordPress booking plugin (all versions ≤ 5.3.2) allows unauthenticated attackers to cancel a logged-in customer's appointments without consent by delivering a forged HTTP request. The root cause is missing nonce verification in the request_cancellation() function within the customer cabinet controller. EPSS is negligible at 0.02% (7th percentile), SSVC classifies exploitation as none, and no public exploit code or active exploitation has been identified at time of analysis.

CSRF WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-6741 HIGH This Week

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.

WordPress Privilege Escalation Latepoint Calendar Booking Plugin For Appointments And Events
NVD
CVSS 3.1
8.8
EPSS
0.1%
EPSS 0% CVSS 7.5
HIGH This Week

Payment amount manipulation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.4.0) lets unauthenticated attackers finalize bookings while paying an arbitrary amount. The Stripe Connect payment processor trusts a client-supplied PaymentIntent ID, so an attacker can replay a previously succeeded PaymentIntent token to satisfy the payment check. No public exploit identified at time of analysis, and the flaw is not in CISA KEV.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 0% CVSS 5.3
MEDIUM This Month

Authorization bypass in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.1) permits unauthenticated attackers to overwrite customer PII - first name, last name, phone number, and notes - on any existing customer record, including those associated with administrator accounts, by submitting the public booking form with a known or guessed target email address. The attack is gated by a specific non-default plugin configuration (guest bookings enabled), meaningfully narrowing the realistic exposure surface. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 1% CVSS 5.3
MEDIUM This Month

Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress (all versions ≤ 5.6.2) enables unauthenticated attackers to create approved bookings against services explicitly restricted to administrators and agents. The bypass operates through two publicly accessible booking step endpoints that accept a user-controlled service identifier without validating the requester's authorization to book that service. No public exploit code or CISA KEV listing has been identified, but the CVSS:3.1 vector (AV:N/AC:L/PR:N/UI:N) confirms trivially exploitable, zero-barrier network access against default plugin configurations that utilize service-level access restrictions.

Authentication Bypass WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 0% CVSS 8.8
HIGH This Week

Privilege escalation to Administrator in the LatePoint booking plugin for WordPress (versions up to and including 5.6.3) lets an authenticated Agent-level user hijack any WordPress account by abusing an Insecure Direct Object Reference in OsOrdersController::create_or_update(). By supplying an arbitrary order[customer_id], an attacker overwrites the email of any LatePoint customer - including one tied to a WordPress Administrator - and then logs in as that user because OsAuthHelper::authorize_customer() never checks the linked account's role. Reported by Wordfence and rated CVSS 8.8; no public exploit identified at time of analysis and it is not on CISA KEV, though the root-cause code paths are pinpointed in public plugin source.

Privilege Escalation WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 1% CVSS 7.5
HIGH This Week

Privilege escalation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.5.1) allows an authenticated user with Agent-level access or higher to chain three independent flaws and overwrite a WordPress Administrator's password without invoking any Administrator-only API. Wordfence-reported flaw with no public exploit identified at time of analysis, though source code locations of all three vulnerable code paths are referenced in the disclosure.

Privilege Escalation WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD VulDB
EPSS 0% CVSS 4.3
MEDIUM This Month

Cross-Site Request Forgery in the LatePoint WordPress booking plugin (all versions ≤ 5.3.2) allows unauthenticated attackers to cancel a logged-in customer's appointments without consent by delivering a forged HTTP request. The root cause is missing nonce verification in the request_cancellation() function within the customer cabinet controller. EPSS is negligible at 0.02% (7th percentile), SSVC classifies exploitation as none, and no public exploit code or active exploitation has been identified at time of analysis.

CSRF WordPress Latepoint Calendar Booking Plugin For Appointments And Events
NVD
EPSS 0% CVSS 8.8
HIGH This Week

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.

WordPress Privilege Escalation Latepoint Calendar Booking Plugin For Appointments And Events
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy