LatePoint – Calendar Booking Plugin for Appointments and Events

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to view booking information including customer names, email addresses, phone numbers, appointment times, and service details.

Basic Information

ID CVE-2026-1537

Source Wordfence

Published Feb 12, 2026 at 02:23

Affected Product

Vendor latepoint

Product LatePoint – Calendar Booking Plugin for Appointments and Events

Version *

Affected Versions latepoint LatePoint – Calendar Booking Plugin for Appointments and Events *

CWE Classification

CWE-862

References

{
    "lastseen": "",
    "description": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to view booking information including customer names, email addresses, phone numbers, appointment times, and service details.",
    "published": "2026-02-12T02:23:25.350Z",
    "modified": "2026-02-12T02:23:25.350Z",
    "type": "cve",
    "title": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Missing Authorization to Booking Details Exposure",
    "source": "Wordfence",
    "references": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c18ad885-52a8-467b-83f2-aeb0c8be8be0?source=cve\nhttps://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/models/model.php#L562\nhttps://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/helpers/steps_helper.php#L231",
    "id": "CVE-2026-1537",
    "bulletinFamily": "",
    "cwe": [
        "CWE-862"
    ],
    "cvelist": null,
    "sourceData": "latepoint LatePoint \u2013 Calendar Booking Plugin for Appointments and Events *",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events",
    "version": "*",
    "vendor": "latepoint",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Missing Authorization to Booking Details Exposure_CVE-2026-1537