CVE-2026-1537
Unauthorized Data Access in LatePoint WordPress Plugin (load_step
Publication date: 2026-02-12
Last updated on: 2026-02-12
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| latepoint | calendar_booking_plugin | to 5.2.6 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The LatePoint β Calendar Booking Plugin for Appointments and Events for WordPress has a vulnerability due to a missing capability check in the load_step() function in all versions up to and including 5.2.6.
This flaw allows unauthenticated attackers to access booking information without proper authorization.
Specifically, attackers can view sensitive booking data such as customer names, email addresses, phone numbers, appointment times, and service details.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized disclosure of personal and booking information.
- Exposure of customer names and contact details (emails, phone numbers).
- Disclosure of appointment times and service details.
Such data exposure can result in privacy violations, loss of customer trust, and potential misuse of personal information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
The vulnerability exists due to a missing capability check in the load_step() function of the LatePoint WordPress plugin up to version 5.2.6, allowing unauthenticated attackers to access booking information.
Immediate mitigation steps include updating the LatePoint plugin to a version later than 5.2.6 where this issue is fixed.
If an update is not immediately possible, restrict access to the plugin's endpoints related to booking steps, especially those invoking load_step(), by applying firewall rules or access controls to prevent unauthenticated access.
Monitor and audit access logs for suspicious requests targeting the booking steps or related REST API endpoints.