{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1537", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-28T14:12:35.919Z", "datePublished": "2026-02-12T02:23:25.350Z", "dateUpdated": "2026-04-08T17:19:54.982Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:54.982Z"}, "affected": [{"vendor": "latepoint", "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.2.6", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to view booking information including customer names, email addresses, phone numbers, appointment times, and service details."}], "title": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Missing Authorization to Booking Details Exposure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c18ad885-52a8-467b-83f2-aeb0c8be8be0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/models/model.php#L562"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/helpers/steps_helper.php#L231"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Chiao-Lin Yu"}], "timeline": [{"time": "2026-01-23T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2026-01-28T14:27:53.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-11T13:37:48.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-12T15:32:06.201319Z", "id": "CVE-2026-1537", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T15:32:16.843Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1537", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-12T15:32:06.201319Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-12T15:32:11.332Z"}}], "cna": {"title": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Missing Authorization to Booking Details Exposure", "credits": [{"lang": "en", "type": "finder", "value": "Chiao-Lin Yu"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "latepoint", "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.2.6"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-23T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2026-01-28T14:27:53.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-11T13:37:48.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c18ad885-52a8-467b-83f2-aeb0c8be8be0?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/models/model.php#L562"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/helpers/steps_helper.php#L231"}], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to view booking information including customer names, email addresses, phone numbers, appointment times, and service details."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:19:54.982Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1537", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:19:54.982Z", "dateReserved": "2026-01-28T14:12:35.919Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-12T02:23:25.350Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to view booking information including customer names, email addresses, phone numbers, appointment times, and service details."}, {"lang": "es", "value": "El plugin LatePoint \u2013 Calendar Booking Plugin for Appointments and Events para WordPress es vulnerable al acceso no autorizado de datos debido a una falta de verificaci\u00f3n de capacidad en la funci\u00f3n load_step() en todas las versiones hasta la 5.2.6, inclusive. Esto hace posible que atacantes no autenticados vean informaci\u00f3n de reservas, incluyendo nombres de clientes, direcciones de correo electr\u00f3nico, n\u00fameros de tel\u00e9fono, horas de citas y detalles del servicio."}], "id": "CVE-2026-1537", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-12T04:15:47.413", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/helpers/steps_helper.php#L231"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/models/model.php#L562"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c18ad885-52a8-467b-83f2-aeb0c8be8be0?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.6]"}}], "product": "latepoint_\u2013_calendar_booking_plugin_for_appointments_and_events", "vendor": "latepoint"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T18:34:31.033663+00:00", "value": {"mitigation_remediation": ["Upgrade the LatePoint plugin to a version newer than 5.2.6, which contains the missing capability check.", "If an immediate upgrade is not feasible, implement server\u2011side or WordPress\u2011level restrictions to block unauthenticated requests to the load_step endpoint, such as using .htaccess rules or a firewall.", "Review any custom code or configurations that expose booking data to ensure that all endpoints perform proper capability checks before returning sensitive information."], "summary": {"action": "Apply Patch", "impact": "Unauthorized disclosure of booking data"}, "threat_synthesis": {"affected_systems": "WordPress sites using the LatePoint \u2013 Calendar Booking Plugin for Appointments and Events, specifically all releases up to and including version 5.2.6.", "description_and_impact": "The LatePoint plugin contains a missing capability check in the load_step() function, making it possible for unauthenticated attackers to retrieve booking details such as customer names, email addresses, phone numbers, appointment times, and service information. The vulnerability allows a confidentiality breach, exposing personal data that could be leveraged for identity theft or phishing campaigns. This vulnerability is a CWE-862: Missing Authorization.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a medium severity vulnerability. With an EPSS score of less than 1 percent, exploitation likelihood is currently very low, and the vulnerability is not listed in the CISA KEV catalog. However, because unauthenticated access is possible, the risk to individuals\u2019 personal information remains significant if an attacker can remotely query the load_step endpoint. The threat remains moderate in terms of impact magnitude, but the window for exploitation is essentially open to anyone who can identify the vulnerable endpoint."}}}}, "created": "2026-02-12T09:02:03.779185+00:00", "updated": "2026-04-15T18:45:11.412753+00:00", "vendors": ["latepoint", "latepoint$PRODUCT$latepoint_\u2013_calendar_booking_plugin_for_appointments_and_events", "wordpress", "wordpress$PRODUCT$wordpress"]}