WordPress Plugin Vulnerabilities

LatePoint – Calendar Booking Plugin for Appointments and Events < 5.2.7 - Authenticated (Subscriber+) Insecure Direct Object Reference

Description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.2.6 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform unauthorized actions.

Affects Plugins

Plugin icon
latepoint
Fixed in 5.2.7

References

CVE
CVE-2026-32533
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/a76a6800-61ae-47e8-9659-47c08535516d

Classification

Type
IDOR
OWASP top 10
A5: Broken Access Control
CWE
CWE-639
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
daroo
Verified
No
WPVDB ID
7dc57a0d-3164-48eb-adec-e55dfabb7a7f

Timeline

Publicly Published
2026-03-23 (about 1 month ago)
Added
2026-04-02 (about 1 month ago)
Last Updated
2026-04-02 (about 1 month ago)

Other

Published
Title
Published
2024-07-09
Title
ProfileGrid < 5.9.0 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2024-12-11
Title
ElementInvader Addons for Elementor < 1.3.2 - Missing Authorization to Arbitrary Options Read
Published
2024-03-29
Title
Whizzy <= 1.1.18 - Authenticated (Subscriber+) Insecure Direct Object Reference
Published
2026-02-24
Title
WP Recipe Maker < 10.3.0 - Missing Authorization to Authenticated (Subscriber+) Sensitive Information Exposure
Published
2023-04-03
Title
WP FEvents Book <= 0.46 - Subscriber+ Arbitrary Booking Manipulation via IDOR