CVE-2026-5234
Insecure Direct Object Reference in LatePoint WordPress Plugin Exposes Financial Data
Publication date: 2026-04-17
Last updated on: 2026-04-17
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| latepoint | latepoint | to 5.3.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to access and enumerate sensitive financial data such as invoice IDs, order IDs, customer IDs, charge amounts, and Stripe payment tokens. This exposure of sensitive customer and financial information could potentially lead to non-compliance with data protection regulations like GDPR and HIPAA, which require strict controls over access to personal and financial data.
However, the provided information does not explicitly state the impact on compliance with these standards.
Can you explain this vulnerability to me?
The LatePoint plugin for WordPress has a vulnerability called Insecure Direct Object Reference (IDOR) in all versions up to and including 5.3.2. This happens because a specific action, OsStripeConnectController::create_payment_intent_for_transaction, is publicly accessible without requiring authentication. It loads invoices by a simple sequential invoice_id without verifying ownership or requiring an access key. Unlike other invoice-related actions that require a secure cryptographic UUID access_key, this action allows unauthenticated attackers to enumerate valid invoice IDs by exploiting error messages.
As a result, attackers can create unauthorized transaction intent records in the database that contain sensitive financial data such as invoice_id, order_id, customer_id, and charge_amount. Additionally, on sites configured with Stripe Connect, the vulnerability leaks sensitive Stripe tokens and keys, including payment_intent_client_secret and transaction_intent_key, along with payment amounts.
How can this vulnerability impact me? :
This vulnerability can have several impacts:
- Unauthorized access to sensitive financial information such as invoice IDs, order IDs, customer IDs, and charge amounts.
- Exposure of Stripe payment tokens and keys, which could potentially be used to manipulate or access payment transactions.
- Attackers can enumerate valid invoice IDs, leading to further exploitation or data leakage.
- Creation of unauthorized transaction intent records in the database, which may disrupt normal business operations or lead to fraudulent activities.