The flaw resides in LatePoint’s routing layer where the call_by_route_name function verifies only user capabilities without requiring a nonce. This oversight allows any visitor to fabricate forged requests that, when executed by an authenticated administrator, can carry out any administrative operation such as creating, modifying or deleting bookings, changing plugin settings, or accessing sensitive data. Because no authentication is needed to craft the request, the vulnerability effectively provides a conduit for unauthenticated attackers to perform any action an administrator can perform.

All releases of the LatePoint – Calendar Booking Plugin for Appointments and Events up to and including version 5.2.5 are affected. The plugin is distributed under the vendor name LatePoint and operates as a WordPress extension for managing events and bookings.

The CVSS score of 4.3 places the issue in the moderate severity range, yet the EPSS score of less than 1% indicates a low probability of exploitation at present. The flaw is not listed in the CISA KEV catalog. The attack vector is typical of CSRF: a malicious link or payload that forces a logged‑in administrator to perform an unintended action. Successful exploitation would require the administrator to be authenticated and could be achieved through social engineering or embedded content. Overall, the risk is moderate, recommending prompt action for any site that permits administrator‑level operations through LatePoint.