Description
Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LatePoint: from n/a through <= 5.2.6.
Published: 2026-03-25
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Data Access
Action: Patch Now
AI Analysis

Impact

The vulnerability in LatePoint is an Insecure Direct Object Reference that allows an attacker to manipulate a key parameter in a request and bypass the plugin’s authorization checks. This flaw permits unauthorized reading of appointment data and other sensitive information that should be protected. The weakness corresponds to CWE‑639.

Affected Systems

All releases of the LatePoint WordPress plugin from its initial version through version 5.2.6 are affected. No release prior to 5.2.7 contains a fix for this IDOR flaw.

Risk and Exploitability

The CVSS base score of 6.5 indicates a moderate severity issue, while the EPSS below 1 % suggests that exploitation is unlikely to be common in the wild. Because the vulnerability is not listed in the CISA KEV catalog, it is not known to be actively exploited at scale. Based on the description, the likely attack vector is a crafted web request that modifies the key field to reference another object, meaning the attack requires network access to the site and the ability to influence URL or POST parameters. This combination of moderate severity, low exploitation probability, and the ability for an attacker to read confidential data results in a significant risk that warrants prompt remediation.

Generated by OpenCVE AI on March 26, 2026 at 15:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LatePoint to version 5.2.7 or newer.
  • Ensure that the plugin’s role‑based access controls are correctly configured so that only authorized users can view appointment details.
  • If an immediate upgrade is not possible, block direct access to the plugin’s configuration and hidden endpoints with a web‑application firewall and monitor logs for suspicious activity.

Generated by OpenCVE AI on March 26, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Latepoint
Latepoint latepoint
Wordpress
Wordpress wordpress
Vendors & Products Latepoint
Latepoint latepoint
Wordpress
Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type Values Removed Values Added
Description Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LatePoint: from n/a through <= 5.2.6.
Title WordPress LatePoint plugin <= 5.2.6 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses CWE-639
References

Subscriptions

Latepoint Latepoint
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-03-26T13:19:18.208Z

Reserved: 2026-03-12T11:12:24.776Z

Link: CVE-2026-32533

cve-icon Vulnrichment

Updated: 2026-03-26T13:18:13.411Z

cve-icon NVD

Status : Deferred

Published: 2026-03-25T17:17:06.877

Modified: 2026-04-24T16:35:20.070

Link: CVE-2026-32533

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-27T09:30:39Z

Weaknesses