Description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'service_id' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication.
Published: 2026-07-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LatePoint – Calendar Booking Plugin for Appointments and Events contains an insecure direct object reference flaw in the service_id parameter. The absence of validation on this user‑controlled key allows anyone to submit a booking request for services that are normally restricted to administrators or agents. An attacker can thereby consume appointment capacity and generate official‑looking bookings without any authentication.

Affected Systems

WordPress sites running LatePoint up to and including version 5.6.2 are vulnerable. The issue affects all instances of the plugin, regardless of individual site configuration, because the vulnerable code is present in each affected release.

Risk and Exploitability

The flaw carries a CVSS score of 5.3, indicating moderate severity. The EPSS score is below 1 %, suggesting a low probability of exploitation. It is not listed in the CISA KEV catalog. An attacker can exploit the bug using unauthenticated HTTP requests to the steps__load_step and steps__start endpoints, manipulating the params[booking][service_id] or presets[selected_service] parameters to create bookings for admin‑only services.

Generated by OpenCVE AI on July 2, 2026 at 17:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update LatePoint to the latest version (5.6.3 or newer) to remove the IDOR vulnerability.
  • Review plugin settings and disable public booking forms for services that should be reserved for administrators or agents.
  • Perform a security review of all booking endpoints to confirm that no additional insecure object references exist.

Generated by OpenCVE AI on July 2, 2026 at 17:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Jul 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Jul 2026 11:15:00 +0000

Type Values Removed Values Added
First Time appeared Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress
Vendors & Products Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress

Thu, 02 Jul 2026 09:45:00 +0000

Type Values Removed Values Added
Description The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'service_id' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication.
Title LatePoint <= 5.6.2 - Unauthenticated Insecure Direct Object Reference to Arbitrary Creation via 'service_id' Parameter
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}


Subscriptions

Latepoint Latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-02T12:37:48.368Z

Reserved: 2026-06-18T18:49:07.840Z

Link: CVE-2026-12657

cve-icon Vulnrichment

Updated: 2026-07-02T12:37:44.913Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-02T18:00:05Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key