CVE-2026-1537
📋 TL;DR
This vulnerability in the LatePoint WordPress plugin allows unauthenticated attackers to access sensitive booking data without proper authorization. It affects all WordPress sites using LatePoint versions up to 5.2.6. The missing capability check in the load_step() function exposes customer PII and appointment details.
💻 Affected Systems
- LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Mass data exfiltration of all booking records containing PII (names, emails, phone numbers) and appointment details, potentially leading to identity theft, phishing campaigns, or service disruption.
Likely Case
Unauthorized viewing of booking information, compromising customer privacy and violating data protection regulations like GDPR.
If Mitigated
Limited exposure if plugin is behind authentication or network restrictions, but core vulnerability remains.
🎯 Exploit Status
The vulnerability requires no authentication and minimal technical skill to exploit via crafted HTTP requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.7 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3200000%40latepoint%2F5.2.7&old=3199999%40latepoint%2F5.2.6
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find LatePoint plugin and click 'Update Now'. 4. Verify version is 5.2.7 or higher.
🔧 Temporary Workarounds
Disable LatePoint Plugin
allTemporarily deactivate the plugin to prevent exploitation while planning update.
wp plugin deactivate latepoint
Web Application Firewall Rule
allBlock access to vulnerable endpoint patterns.
Add WAF rule to block requests containing 'load_step' parameter to LatePoint endpoints
🧯 If You Can't Patch
- Disable the LatePoint plugin immediately
- Implement network-level restrictions to block external access to WordPress admin paths
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → LatePoint → Version number. If version is 5.2.6 or lower, system is vulnerable.Check Version:
wp plugin get latepoint --field=versionVerify Fix Applied:
Confirm LatePoint version is 5.2.7 or higher in WordPress plugins page.📡 Detection & Monitoring
Log Indicators:
- HTTP requests to /wp-admin/admin-ajax.php with 'action' parameter containing 'latepoint' and 'load_step'
Network Indicators:
- Unusual spikes in requests to WordPress admin-ajax.php from unauthenticated sources
SIEM Query:
source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND query="*load_step*" AND user_agent!="*bot*"