Cross-Site Request Forgery Vulnerability in LatePoint Calendar Booking Plugin for WordPress
CVE-2026-9719
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 5 June 2026
What is CVE-2026-9719?
The LatePoint β Calendar Booking Plugin for Appointments and Events for WordPress contains a Cross-Site Request Forgery vulnerability that affects all versions up to and including 5.6.0. This issue arises from inadequate nonce validation in the change_status function, allowing unauthorized attackers to manipulate the status of invoices without required administrator consent. By sending a specially crafted request, attackers could mark unpaid invoices as paid, provided they can induce an administrator to click on a malicious link. This potential exploit underscores the importance of robust nonce validation to safeguard against unauthorized actions within WordPress plugins.
Affected Version(s)
LatePoint β Calendar Booking Plugin for Appointments and Events 0 <= 5.6.0