CVE-2026-1537

Awaiting Analysis Awaiting Analysis - Queue

Unauthorized Data Access in LatePoint WordPress Plugin (load_step

Publication date: 2026-02-12

Last updated on: 2026-02-12

Assigner: Wordfence

Description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to view booking information including customer names, email addresses, phone numbers, appointment times, and service details.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-02-12

Last Modified

2026-02-12

Generated

2026-06-16

AI Q&A

2026-02-12

EPSS Evaluated

2026-06-14

NVD

CVE-2026-1537

EUVD

EUVD-2026-7027

Affected Vendors & Products

Vendor	Product	Version / Range
latepoint	calendar_booking_plugin	to 5.2.6 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-862	The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

Executive Summary

The LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress has a vulnerability due to a missing capability check in the load_step() function in all versions up to and including 5.2.6.

This flaw allows unauthenticated attackers to access booking information without proper authorization.

Specifically, attackers can view sensitive booking data such as customer names, email addresses, phone numbers, appointment times, and service details.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of personal and booking information.

Exposure of customer names and contact details (emails, phone numbers).
Disclosure of appointment times and service details.

Such data exposure can result in privacy violations, loss of customer trust, and potential misuse of personal information.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

The vulnerability exists due to a missing capability check in the load_step() function of the LatePoint WordPress plugin up to version 5.2.6, allowing unauthenticated attackers to access booking information.

Immediate mitigation steps include updating the LatePoint plugin to a version later than 5.2.6 where this issue is fixed.

If an update is not immediately possible, restrict access to the plugin's endpoints related to booking steps, especially those invoking load_step(), by applying firewall rules or access controls to prevent unauthenticated access.

Monitor and audit access logs for suspicious requests targeting the booking steps or related REST API endpoints.

Hi! I’m here to help you understand CVE-2026-1537. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-1537

Unauthorized Data Access in LatePoint WordPress Plugin (load_step

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart