CVE-2025-3769 identifies an Insecure Direct Object Reference (IDOR) vulnerability in the LatePoint – Calendar Booking Plugin for Appointments and Events, a popular WordPress plugin used for managing bookings and appointments. The vulnerability exists in all versions up to and including 5.1.92 within the 'view_booking_summary_in_lightbox' functionality. The root cause is the lack of proper validation on a user-controlled key parameter, which allows unauthenticated attackers to manipulate the key and access booking summaries that should be restricted. This results in unauthorized disclosure of sensitive appointment details, including customer names and email addresses. The vulnerability does not require any authentication or user interaction, making it easier to exploit remotely over the network. The CVSS v3.1 base score is 5.3 (medium severity), reflecting the vulnerability's impact on confidentiality without affecting integrity or availability. No patches or known exploits are currently available, but the exposure of personal data could lead to privacy violations and facilitate social engineering or phishing attacks. The vulnerability is classified under CWE-639, which pertains to authorization bypass through user-controlled keys or references. Given the widespread use of WordPress and the popularity of booking plugins, this vulnerability has a broad attack surface.

The primary impact of CVE-2025-3769 is the unauthorized disclosure of sensitive customer information, including names and email addresses, which compromises confidentiality. This exposure can lead to privacy violations, regulatory non-compliance (e.g., GDPR), and reputational damage for affected organizations. Attackers could leverage the leaked data for targeted phishing campaigns, identity theft, or further exploitation of the affected systems. Since the vulnerability does not affect data integrity or availability, the direct operational impact is limited; however, the breach of personal data can have significant indirect consequences. Organizations relying on LatePoint for appointment scheduling, especially those handling sensitive client information such as healthcare providers, legal services, or financial institutions, face heightened risks. The ease of exploitation without authentication or user interaction increases the likelihood of automated scanning and mass exploitation attempts once the vulnerability becomes widely known.

1. Immediate mitigation should include updating the LatePoint plugin to a patched version once released by the vendor. 2. Until a patch is available, implement web application firewall (WAF) rules to detect and block suspicious requests targeting the 'view_booking_summary_in_lightbox' endpoint with anomalous or unexpected key parameters. 3. Restrict access to booking summary endpoints by IP whitelisting or requiring authentication where feasible. 4. Conduct code reviews and add strict server-side validation to ensure that user-controlled keys correspond only to bookings authorized for the requesting user. 5. Monitor web server logs for unusual access patterns or repeated attempts to enumerate booking keys. 6. Educate staff and customers about phishing risks stemming from potential data leaks. 7. Consider disabling the vulnerable plugin functionality temporarily if it cannot be secured promptly. 8. Implement data minimization and encryption for stored customer data to reduce exposure in case of leaks.