The LatePoint Calendar Booking Plugin for WordPress contains a cross‑site request forgery vulnerability in all versions up to 5.6.0. A missing or incorrect nonce validation in the invoices change_status action allows an unauthenticated attacker to submit forged requests that alter the status of arbitrary invoices, including marking unpaid invoices as paid. This flaw enables the attacker to modify the financial state of the customer records without any administrator consent, thereby compromising data integrity and potentially facilitating fraudulent financial reporting.

All installations of the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress versions 5.6.0 and earlier are affected. The vulnerability exists within the invoices_controller.php file where the change_status function has inadequate nonce checks. Sites running any of these versions expose invoice management endpoints that could be targeted by an attacker.

With a CVSS score of 4.3 the flaw is of moderate severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog, suggesting that it is not currently exploited in the wild. The likely attack vector is a CSRF attack where an admin is tricked into clicking a crafted link or submitting a forged form. Successful exploitation would allow the attacker to alter invoice data but does not provide code execution or broader system compromise. The risk level is moderate, primarily dependent on the exposure of the plugin’s administrative interface to unauthenticated users and the attacker’s ability to persuade a privileged user to perform the forged action.