{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-5234", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-31T14:05:18.117Z", "datePublished": "2026-04-17T03:36:44.618Z", "dateUpdated": "2026-04-17T18:38:40.183Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T03:36:44.618Z"}, "affected": [{"vendor": "latepoint", "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.3.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice."}], "title": "LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afec4c8c-a18d-4907-8879-2412f8a1abed?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L20"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L20"}, {"url": "https://plugins.trac.wordpress.org/changeset/3505127/latepoint/trunk/lib/controllers/stripe_connect_controller.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-639 Authorization Bypass Through User-Controlled Key", "cweId": "CWE-639", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "baseScore": 5.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "darkestmode"}], "timeline": [{"time": "2026-03-31T14:20:32.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-16T15:19:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-17T18:38:28.386411Z", "id": "CVE-2026-5234", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T18:38:40.183Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-5234", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-17T18:38:28.386411Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-17T18:38:34.601Z"}}], "cna": {"title": "LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID", "credits": [{"lang": "en", "type": "finder", "value": "darkestmode"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "latepoint", "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.3.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-31T14:20:32.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-16T15:19:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afec4c8c-a18d-4907-8879-2412f8a1abed?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L31"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L33"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L50"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L20"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L20"}, {"url": "https://plugins.trac.wordpress.org/changeset/3505127/latepoint/trunk/lib/controllers/stripe_connect_controller.php"}], "descriptions": [{"lang": "en", "value": "The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-639", "description": "CWE-639 Authorization Bypass Through User-Controlled Key"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-17T03:36:44.618Z"}}}, "cveMetadata": {"cveId": "CVE-2026-5234", "state": "PUBLISHED", "dateUpdated": "2026-04-17T18:38:40.183Z", "dateReserved": "2026-03-31T14:05:18.117Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-17T03:36:44.618Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice."}], "id": "CVE-2026-5234", "lastModified": "2026-04-22T20:22:50.570", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-17T05:16:18.830", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L20"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L31"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L33"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_controller.php#L50"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L20"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L31"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L33"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_controller.php#L50"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3505127/latepoint/trunk/lib/controllers/stripe_connect_controller.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/afec4c8c-a18d-4907-8879-2412f8a1abed?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.3.2]"}}], "enrichment": {"confidence": 93.0, "confidence_source": "matching", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 93.0, "source": "matching"}]}, "original": {"product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "source": "cna", "vendor": "latepoint"}, "product": "latepoint_\u2013_calendar_booking_plugin_for_appointments_and_events", "vendor": "latepoint"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-17T06:51:48.325708+00:00", "value": {"mitigation_remediation": ["Upgrade LatePoint to version 5.4 or later, which removes the public create_payment_intent_for_transaction action.", "If an upgrade is not immediately feasible, restrict access to the endpoint by requiring valid authentication or a secret key, and consider blocking unauthenticated requests from unauthorized sources.", "Implement rate\u2011limiting and monitoring for the invoice endpoint to detect enumeration attempts, and block offending IP addresses to mitigate automated IDOR scans."], "summary": {"action": "Upgrade", "impact": "Unauthorized exposure of sensitive financial data via IDOR"}, "threat_synthesis": {"affected_systems": "The flaw impacts every installation of the LatePoint \u2013 Calendar Booking Plugin for Appointments and Events for WordPress that is running version 5.3.2 or earlier. Any site that has this plugin, regardless of the WordPress theme or other plugins, is vulnerable. The problem is confined to the LatePoint component and does not affect other WordPress core files or plugins.", "description_and_impact": "The LatePoint plugin for WordPress contains an Insecure Direct Object Reference flaw that permits an unauthenticated party to enumerate invoices. The vulnerability exists because the public OsStripeConnectController::create_payment_intent_for_transaction action loads invoices by a sequential integer invoice_id without verifying ownership or requiring authentication. The result is that attackers can obtain sensitive financial information, including invoice identifiers, order IDs, customer IDs, charge amounts, and, on sites configured with Stripe Connect, client\u2011secret tokens and transaction intent keys. This data compromise threatens the confidentiality of financial transactions and could facilitate fraudulent activity. The weakness is categorised as CWE-639. Based on the description, the likely attack vector is via unauthenticated HTTP requests to the exposed endpoint that provides the invoice_id parameter.", "risk_and_exploitability": "The CVSS base score is 5.3, reflecting moderate severity. The EPSS estimate is not available, and the vulnerability is not catalogued as a known exploited vulnerability. Attackers require only unauthenticated HTTP calls to a public endpoint, which can be discovered through brute\u2011force enumeration of sequential invoice IDs or by observing error messages. Because the exploit does not require privileged credentials or complex setup, the potential for exploitation is realistic, though there are no reports of this weakness being actively abused in the wild. The main consequence is the leakage of confidential financial data and, where Stripe Connect is enabled, sensitive authentication tokens."}}}}, "created": "2026-04-17T07:00:08.559473+00:00", "updated": "2026-04-17T08:00:10.869956+00:00", "vendors": ["latepoint", "latepoint$PRODUCT$latepoint_\u2013_calendar_booking_plugin_for_appointments_and_events", "wordpress", "wordpress$PRODUCT$wordpress"]}