Description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the personally identifiable information (first name, last name, phone number, and notes) of any existing customer record, including those linked to administrator accounts, by submitting the booking form with a known customer's email address. Exploitation requires the plugin to be configured with guest bookings enabled (is_customer_auth_disabled() returning true), which is necessary for the vulnerable unauthenticated code path in process_step_customer() to be reached.
Published: 2026-07-03
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in LatePoint’s process_step_customer() allows an unauthenticated attacker to alter a customer’s first name, last name, phone number, and notes by submitting the booking form with a known email address. This is an authorization bypass (CWE-862) that compromises the confidentiality and integrity of personally identifiable information and could lead to privacy violations or reputational harm. The flaw exists because the plugin does not verify that the user is permitted to perform the update, allowing any visitor to modify any customer record, even those tied to administrators.

Affected Systems

All installations of LatePoint Calendar Booking Plugin for WordPress up to and including version 5.6.1 with guest bookings enabled (is_customer_auth_disabled() returning true).

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity and the failure to restrict authentication creates an easy attack path: submitting a crafted booking form is all that is required. No EPSS data is available, and the vulnerability is not yet listed in the CISA KEV catalogue, but the potential impact on a widely deployed plugin warrants timely remediation. The attack can be executed from any network, and any user who knows a customer’s email can abuse the flaw to corrupt records.

Generated by OpenCVE AI on July 4, 2026 at 00:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LatePoint to the latest version that contains the authorization fix.
  • If an update cannot be applied immediately, disable the guest booking feature in the plugin settings to prevent unauthenticated form submissions.
  • Review customer records for unexpected changes and reset any fields that may have been tampered with, then monitor for further unauthorized activity.

Generated by OpenCVE AI on July 4, 2026 at 00:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 03 Jul 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress
Vendors & Products Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress

Fri, 03 Jul 2026 09:00:00 +0000

Type Values Removed Values Added
Description The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the personally identifiable information (first name, last name, phone number, and notes) of any existing customer record, including those linked to administrator accounts, by submitting the booking form with a known customer's email address. Exploitation requires the plugin to be configured with guest bookings enabled (is_customer_auth_disabled() returning true), which is necessary for the vulnerable unauthenticated code path in process_step_customer() to be reached.
Title LatePoint <= 5.6.1 - Missing Authorization to Unauthenticated Arbitrary Customer Data Modification via process_step_customer() Booking Form Customer Step
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Latepoint Latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-03T07:53:10.377Z

Reserved: 2026-06-05T16:30:18.829Z

Link: CVE-2026-11398

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-04T01:00:15Z

Weaknesses