Impact
The vulnerability in LatePoint’s process_step_customer() allows an unauthenticated attacker to alter a customer’s first name, last name, phone number, and notes by submitting the booking form with a known email address. This is an authorization bypass (CWE-862) that compromises the confidentiality and integrity of personally identifiable information and could lead to privacy violations or reputational harm. The flaw exists because the plugin does not verify that the user is permitted to perform the update, allowing any visitor to modify any customer record, even those tied to administrators.
Affected Systems
All installations of LatePoint Calendar Booking Plugin for WordPress up to and including version 5.6.1 with guest bookings enabled (is_customer_auth_disabled() returning true).
Risk and Exploitability
The CVSS score of 5.3 indicates a moderate severity and the failure to restrict authentication creates an easy attack path: submitting a crafted booking form is all that is required. No EPSS data is available, and the vulnerability is not yet listed in the CISA KEV catalogue, but the potential impact on a widely deployed plugin warrants timely remediation. The attack can be executed from any network, and any user who knows a customer’s email can abuse the flaw to corrupt records.
OpenCVE Enrichment