Authorization Bypass in LatePoint Calendar Booking Plugin for WordPress
CVE-2026-11398
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 3 July 2026
What is CVE-2026-11398?
The LatePoint Calendar Booking Plugin for WordPress is prone to an authorization bypass vulnerability that affects all versions up to and including 5.6.1. This flaw arises from inadequate verification of user permissions, allowing unauthenticated attackers to modify sensitive data, including personally identifiable information like first names, last names, phone numbers, and notes. The exploitation occurs when guest bookings are enabled, granting unauthorized access to customer records by submitting the booking form with an existing customer's email address. Users are recommended to update to the latest version to mitigate this risk.
Affected Version(s)
LatePoint β Calendar Booking Plugin for Appointments and Events 0 <= 5.6.1