Impact
LatePoint – Calendar Booking Plugin for Appointments and Events contains an insecure direct object reference flaw in the service_id parameter. The absence of validation on this user‑controlled key allows anyone to submit a booking request for services that are normally restricted to administrators or agents. An attacker can thereby consume appointment capacity and generate official‑looking bookings without any authentication.
Affected Systems
WordPress sites running LatePoint up to and including version 5.6.2 are vulnerable. The issue affects all instances of the plugin, regardless of individual site configuration, because the vulnerable code is present in each affected release.
Risk and Exploitability
The flaw carries a CVSS score of 5.3, indicating moderate severity. The EPSS score is below 1 %, suggesting a low probability of exploitation. It is not listed in the CISA KEV catalog. An attacker can exploit the bug using unauthenticated HTTP requests to the steps__load_step and steps__start endpoints, manipulating the params[booking][service_id] or presets[selected_service] parameters to create bookings for admin‑only services.
OpenCVE Enrichment