Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress
CVE-2026-12657

5.3MEDIUM

What is CVE-2026-12657?

The LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress contains an Insecure Direct Object Reference vulnerability that allows unauthenticated attackers to manipulate the 'service_id' parameter. This lack of validation on a user-controlled key permits unauthorized bookings against services that should only be accessible to admin and agent users. Attackers can exploit this vulnerability via publicly accessible parameters, leading to unauthorized consumption of appointment capacity and undermining the integrity of service restrictions.

Affected Version(s)

LatePoint – Calendar Booking Plugin for Appointments and Events 0 <= 5.6.2

References

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

gidget smith
.