Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress
CVE-2026-12657
5.3MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 2 July 2026
What is CVE-2026-12657?
The LatePoint β Calendar Booking Plugin for Appointments and Events for WordPress contains an Insecure Direct Object Reference vulnerability that allows unauthenticated attackers to manipulate the 'service_id' parameter. This lack of validation on a user-controlled key permits unauthorized bookings against services that should only be accessible to admin and agent users. Attackers can exploit this vulnerability via publicly accessible parameters, leading to unauthorized consumption of appointment capacity and undermining the integrity of service restrictions.
Affected Version(s)
LatePoint β Calendar Booking Plugin for Appointments and Events 0 <= 5.6.2