{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32533", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:24.776Z", "datePublished": "2026-03-25T16:15:09.898Z", "dateUpdated": "2026-03-26T13:19:18.208Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "latepoint", "product": "LatePoint", "vendor": "LatePoint", "versions": [{"changes": [{"at": "5.2.7", "status": "unaffected"}], "lessThanOrEqual": "<= 5.2.6", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:42.492Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects LatePoint: from n/a through <= 5.2.6.</p>"}], "value": "Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LatePoint: from n/a through <= 5.2.6."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:09.898Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/latepoint/vulnerability/wordpress-latepoint-plugin-5-2-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "title": "WordPress LatePoint plugin <= 5.2.6 - Insecure Direct Object References (IDOR) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:19:11.094382Z", "id": "CVE-2026-32533", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:19:18.208Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"cna": {"title": "WordPress LatePoint plugin <= 5.2.6 - Insecure Direct Object References (IDOR) vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "affected": [{"vendor": "LatePoint", "product": "LatePoint", "versions": [{"status": "affected", "changes": [{"at": "5.2.7", "status": "unaffected"}], "version": "n/a", "versionType": "custom", "lessThanOrEqual": "<= 5.2.6"}], "packageName": "latepoint", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-03-25T17:12:42.492Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/latepoint/vulnerability/wordpress-latepoint-plugin-5-2-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LatePoint: from n/a through <= 5.2.6.", "supportingMedia": [{"type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects LatePoint: from n/a through <= 5.2.6.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:09.898Z"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32533", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-26T13:19:11.094382Z"}}}], "providerMetadata": {"shortName": "CISA-ADP", "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "dateUpdated": "2026-03-26T13:18:13.411Z"}}]}, "cveMetadata": {"cveId": "CVE-2026-32533", "state": "PUBLISHED", "dateUpdated": "2026-03-25T16:15:09.898Z", "dateReserved": "2026-03-12T11:12:24.776Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2026-03-25T16:15:09.898Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LatePoint: from n/a through <= 5.2.6."}], "id": "CVE-2026-32533", "lastModified": "2026-03-26T14:16:11.790", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.5, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-03-25T17:17:06.877", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/latepoint/vulnerability/wordpress-latepoint-plugin-5-2-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.6]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "5.2.7"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "LatePoint", "source": "cna", "vendor": "LatePoint"}, "product": "latepoint", "vendor": "latepoint"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T19:15:47.756896+00:00", "value": {"mitigation_remediation": ["Upgrade LatePoint to the latest available version, at least 5.2.7 or newer", "If an immediate update is not possible, restrict access to the plugin\u2019s administrative pages to trusted administrators only", "Verify that role\u2011based access controls are correctly configured and no more permissive privileges exist", "Continuously monitor audit logs for anomalous access patterns to protected resources"], "summary": {"action": "Apply patch", "impact": "Authorization bypass via insecure direct object references"}, "threat_synthesis": {"affected_systems": "The issue affects all installations of the LatePoint plugin for WordPress with versions up to and including 5.2.6. There are no vendor\u2011specified sub\u2011versions; any instance running 5.2.6 or earlier is considered vulnerable.", "description_and_impact": "This vulnerability in the LatePoint WordPress plugin allows an attacker with a user account to bypass authorization controls by manipulating user\u2011controlled keys. The flaw results from incorrectly configured access control security levels, enabling an attacker to access objects they should not be able to. The primary impact is the potential compromise of protected content or functions belonging to other users.", "risk_and_exploitability": "The CVSS score is not provided in the available data. The EPSS score is unavailable and the vulnerability is not listed in CISA\u2019s KEV catalogue, suggesting it is not yet actively exploited. However, the attack vector is inferred to be remote, originating from the web interface, because the flaw involves direct manipulation of request parameters. The lack of defensive controls in earlier releases increases the likelihood that the vulnerability could be abused if an attacker can guess or enumerate object identifiers."}}}}, "created": "2026-03-25T21:47:07.419203+00:00", "updated": "2026-03-26T11:34:57.921158+00:00", "vendors": ["latepoint", "latepoint$PRODUCT$latepoint", "wordpress", "wordpress$PRODUCT$wordpress"]}