Authorization Bypass in LatePoint Calendar Booking Plugin for WordPress
CVE-2026-11398

5.3MEDIUM

What is CVE-2026-11398?

The LatePoint Calendar Booking Plugin for WordPress is prone to an authorization bypass vulnerability that affects all versions up to and including 5.6.1. This flaw arises from inadequate verification of user permissions, allowing unauthenticated attackers to modify sensitive data, including personally identifiable information like first names, last names, phone numbers, and notes. The exploitation occurs when guest bookings are enabled, granting unauthorized access to customer records by submitting the booking form with an existing customer's email address. Users are recommended to update to the latest version to mitigate this risk.

Affected Version(s)

LatePoint – Calendar Booking Plugin for Appointments and Events 0 <= 5.6.1

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

hhhai
.