Description
The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request_cancellation() function. This makes it possible for unauthenticated attackers to cancel a logged-in customer's bookings via a forged request, granted they can trick the customer into performing an action such as clicking on a link.
Published: 2026-05-14
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The LatePoint plugin, used in WordPress sites to manage appointments, contains a Cross‑Site Request Forgery flaw. The missing nonce check in the request_cancellation() function allows an unauthenticated attacker to craft a request that, if the victim clicks a malicious link while logged in, cancels an existing booking. The vulnerability is a classic instance of CWE‑352 and enables an attacker to alter the state of a booking without any authentication.

Affected Systems

LatePoint, the calendar booking plugin for WordPress, is vulnerable in all releases up to and including 5.3.2. Upgrading to 5.4.0 or newer resolves the issue; no other products or versions are listed as affected.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog, suggesting limited evidence of exploitation. Attackers would rely on user interaction (the victim clicking a crafted link) to trigger the forged request, meaning a mitigated likelihood if users are cautious. Nonetheless, the lack of nonce verification makes the flaw straightforward to exploit for an attacker who has already obtained a working URL that triggers cancellation.

Generated by OpenCVE AI on May 14, 2026 at 08:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LatePoint plugin to version 5.4.0 or later to apply the nonce verification fix.
  • Enable a web application firewall or security plugin (e.g., Wordfence) to enforce CSRF protections and block unauthenticated state‑changing requests.
  • Review any custom code or hooks that expose the request_cancellation endpoint and ensure they use nonce verification or restrict access to authorized roles.

Generated by OpenCVE AI on May 14, 2026 at 08:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress
Vendors & Products Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress

Thu, 14 May 2026 07:00:00 +0000

Type Values Removed Values Added
Description The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request_cancellation() function. This makes it possible for unauthenticated attackers to cancel a logged-in customer's bookings via a forged request, granted they can trick the customer into performing an action such as clicking on a link.
Title LatePoint <= 5.3.2 - Cross-Site Request Forgery via 'customer_cabinet__request_cancellation' AJAX Route
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N'}

Subscriptions

Latepoint Latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-14T06:44:11.886Z

Reserved: 2026-04-01T18:03:07.898Z

Link: CVE-2026-5365

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-14T07:16:20.110

Modified: 2026-05-14T07:16:20.110

Link: CVE-2026-5365

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T08:30:16Z

Weaknesses