309 matches found
CVE-2026-57714
CVE-2026-57714 is a SQL injection vulnerability in the WordPress LatePoint plugin (versions up to and including 5.6.3). The issue arises from improper neutralization of SQL elements, enabling Blind SQL Injection. The affected component is the LatePoint plugin for WordPress; no vendor/version deta...
LatePoint <= 5.0.11 - SQL Injection
The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible f...
LatePoint <= 5.0.12 - Authentication Bypass
LatePoint plugin for WordPress versions up to 5.0.12 contains an authentication bypass caused by insufficient verification of user during booking, letting unauthenticated attackers log in as any existing user if they have user ID access, exploit requires access to user ID, and the 'Use WordPress...
WordPress LatePoint plugin <= 5.6.3 - SQL Injection vulnerability
SQL Injection vulnerability discovered by daroo in WordPress Plugin LatePoint versions = 5.6.3...
CVE-2026-5356
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 5.4.0. This is due to the plugin's Stripe Connect payment processor accepting a client-supplied PaymentIntent ID. This makes it...
EUVD-2026-42227
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 5.4.0. This is due to the plugin's Stripe Connect payment processor accepting a client-supplied PaymentIntent ID. This makes it...
CVE-2026-5356
The CVE-2026-5356 entry concerns the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress, affected up to version 5.4.0. The root cause is improper input validation in the Stripe Connect payment processor, which accepts a client-supplied PaymentIntent ID. This misstep can...
CVE-2026-5356 LatePoint - Calendar Booking Plugin for Appointments and Events <= 5.4.0 - Unauthenticated Stripe PaymentIntent Amount-Binding Bypass
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 5.4.0. This is due to the plugin's Stripe Connect payment processor accepting a client-supplied PaymentIntent ID. This makes it...
PT-2026-56400
Name of the Vulnerable Software and Affected Versions LatePoint – Calendar Booking Plugin for Appointments and Events versions prior to 5.4.1 Description Improper input validation in the Stripe Connect payment processor allows unauthenticated attackers to pay an arbitrary amount. This occurs...
CVE-2026-11398
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
CVE-2026-11398 LatePoint <= 5.6.1 - Missing Authorization to Unauthenticated Arbitrary Customer Data Modification via process_step_customer() Booking Form Customer Step
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
CVE-2026-11398
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
CVE-2026-11398
The CVE concerns LatePoint for WordPress, affecting all versions up to 5.6.1. It allows unauthenticated users to bypass authorization and modify PII (first name, last name, phone, notes) of any customer record by submitting a booking form with a known email when guest bookings are enabled (is_cus...
EUVD-2026-41524
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.6.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for...
PT-2026-55512
Name of the Vulnerable Software and Affected Versions LatePoint – Calendar Booking Plugin for Appointments and Events versions prior to 5.6.2 Description An authorization bypass exists because the plugin fails to properly verify if a user is authorized to perform specific actions. Unauthenticated...
WordPress LatePoint – Calendar Booking Plugin for Appointments and Events plugin <= 5.6.1 - Missing Authorization to Unauthenticated Arbitrary Customer Data Modification vulnerability
Missing Authorization to Unauthenticated Arbitrary Customer Data Modification vulnerability discovered by hhhai in WordPress Plugin LatePoint versions = 5.6.1...
CVE-2026-12657
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'serviceid' parameter due to missing validation on a user controlled key. This makes it possible for...
EUVD-2026-41261
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'serviceid' parameter due to missing validation on a user controlled key. This makes it possible for...
CVE-2026-12657
The CVE-2026-12657 entry concerns the WordPress LatePoint Calendar Booking Plugin (versions up to and including 5.6.2). The vulnerability is an Insecure Direct Object Reference exposed via user-controlled keys in two publicly accessible parameters: params[booking][service_id] in steps__load_step ...
CVE-2026-12657 LatePoint <= 5.6.2 - Unauthenticated Insecure Direct Object Reference to Arbitrary Creation via 'service_id' Parameter
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.6.2 via the 'serviceid' parameter due to missing validation on a user controlled key. This makes it possible for...