The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the personally identifiable information (first name, last name, phone number, and notes) of any existing customer record, including those linked to administrator accounts, by submitting the booking form with a known customer's email address. Exploitation requires the plugin to be configured with guest bookings enabled (is_customer_auth_disabled() returning true), which is necessary for the vulnerable unauthenticated code path in process_step_customer() to be reached.
Project Subscriptions
Advisories
No advisories yet.
Fixes
Solution
No solution given by the vendor.
Workaround
No workaround given by the vendor.
References
History
Fri, 03 Jul 2026 11:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events Wordpress Wordpress wordpress |
|
| Vendors & Products |
Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events Wordpress Wordpress wordpress |
Fri, 03 Jul 2026 09:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attackers to modify the personally identifiable information (first name, last name, phone number, and notes) of any existing customer record, including those linked to administrator accounts, by submitting the booking form with a known customer's email address. Exploitation requires the plugin to be configured with guest bookings enabled (is_customer_auth_disabled() returning true), which is necessary for the vulnerable unauthenticated code path in process_step_customer() to be reached. | |
| Title | LatePoint <= 5.6.1 - Missing Authorization to Unauthenticated Arbitrary Customer Data Modification via process_step_customer() Booking Form Customer Step | |
| Weaknesses | CWE-862 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Projects
Sign in to view the affected projects.
Status: PUBLISHED
Assigner: Wordfence
Published:
Updated: 2026-07-03T07:53:10.377Z
Reserved: 2026-06-05T16:30:18.829Z
Link: CVE-2026-11398
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-03T17:30:15Z
Weaknesses