Description
The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice.
Published: 2026-04-17
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized exposure of sensitive financial data via IDOR
Action: Upgrade
AI Analysis

Impact

The LatePoint plugin for WordPress contains an Insecure Direct Object Reference flaw that permits an unauthenticated party to enumerate invoices. The vulnerability exists because the public OsStripeConnectController::create_payment_intent_for_transaction action loads invoices by a sequential integer invoice_id without verifying ownership or requiring authentication. The result is that attackers can obtain sensitive financial information, including invoice identifiers, order IDs, customer IDs, charge amounts, and, on sites configured with Stripe Connect, client‑secret tokens and transaction intent keys. This data compromise threatens the confidentiality of financial transactions and could facilitate fraudulent activity. The weakness is categorised as CWE-639. Based on the description, the likely attack vector is via unauthenticated HTTP requests to the exposed endpoint that provides the invoice_id parameter.

Affected Systems

The flaw impacts every installation of the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress that is running version 5.3.2 or earlier. Any site that has this plugin, regardless of the WordPress theme or other plugins, is vulnerable. The problem is confined to the LatePoint component and does not affect other WordPress core files or plugins.

Risk and Exploitability

The CVSS base score is 5.3, reflecting moderate severity. The EPSS estimate is not available, and the vulnerability is not catalogued as a known exploited vulnerability. Attackers require only unauthenticated HTTP calls to a public endpoint, which can be discovered through brute‑force enumeration of sequential invoice IDs or by observing error messages. Because the exploit does not require privileged credentials or complex setup, the potential for exploitation is realistic, though there are no reports of this weakness being actively abused in the wild. The main consequence is the leakage of confidential financial data and, where Stripe Connect is enabled, sensitive authentication tokens.

Generated by OpenCVE AI on April 17, 2026 at 06:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LatePoint to version 5.4 or later, which removes the public create_payment_intent_for_transaction action.
  • If an upgrade is not immediately feasible, restrict access to the endpoint by requiring valid authentication or a secret key, and consider blocking unauthenticated requests from unauthorized sources.
  • Implement rate‑limiting and monitoring for the invoice endpoint to detect enumeration attempts, and block offending IP addresses to mitigate automated IDOR scans.

Generated by OpenCVE AI on April 17, 2026 at 06:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 17 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 17 Apr 2026 08:15:00 +0000

Type Values Removed Values Added
First Time appeared Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress
Vendors & Products Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress

Fri, 17 Apr 2026 04:30:00 +0000

Type Values Removed Values Added
Description The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice.
Title LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Latepoint Latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-17T18:38:40.183Z

Reserved: 2026-03-31T14:05:18.117Z

Link: CVE-2026-5234

cve-icon Vulnrichment

Updated: 2026-04-17T18:38:34.601Z

cve-icon NVD

Status : Received

Published: 2026-04-17T05:16:18.830

Modified: 2026-04-17T05:16:18.830

Link: CVE-2026-5234

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T08:00:10Z

Weaknesses