Back to overview

CVE-2026-12657

MEDIUM
5.3
CVSS 3.1
Description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'service_id' parameter due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to create approved bookings against services explicitly restricted to admins and agents, consuming restricted appointment capacity and triggering unauthorized bookings for admin/agent-only services. The bypass works via both the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication.

Metadata

CVE ID
CVE-2026-12657
State
PUBLISHED
Assigner
Wordfence
Reserved
2026-06-18 18:49 UTC
Published
2026-07-02 08:33 UTC
Last updated
2026-07-02 12:37 UTC
Primary CWE
CWE-639
CWE-639 Authorization Bypass Through User-Controlled Key
Vendor / Product
latepoint / LatePoint – Calendar Booking Plugin for Appointments and Events
Sources
cve.org  ·  NVD

Severity & Metrics

5.3 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
yes
Tech. Impact
partial
Affected products (1)
VendorProductPlatformVersions
latepoint LatePoint – Calendar Booking Plugin for Appointments and Events 0 ≤ 5.6.2
Weakness (CWE)
CWESourceDescription
CWE-639 cna CWE-639 Authorization Bypass Through User-Controlled Key
CVSS scores (1)
ScoreSeverityVersionSourceVector
5.3 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Back to overview