CVE-2026-1537 identifies a missing authorization vulnerability (CWE-862) in the LatePoint – Calendar Booking Plugin for Appointments and Events, a WordPress plugin widely used for managing bookings and appointments. The vulnerability resides in the load_step() function, which lacks proper capability checks, allowing unauthenticated attackers to retrieve sensitive booking information. This includes personally identifiable information (PII) such as customer names, email addresses, phone numbers, appointment times, and details about the services booked. The flaw affects all plugin versions up to and including 5.2.6. Because the vulnerability requires no authentication or user interaction, it can be exploited remotely by simply sending crafted requests to the vulnerable endpoint. The CVSS v3.1 base score is 5.3 (medium), with vector AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N, indicating network attack vector, low attack complexity, no privileges or user interaction required, and limited confidentiality impact without affecting integrity or availability. No patches or known exploits have been reported at the time of publication, but the exposure of sensitive customer data can lead to privacy violations and potential regulatory non-compliance, especially under GDPR. The plugin is commonly used by small and medium enterprises (SMEs) and service providers for appointment scheduling, making the vulnerability relevant for organizations relying on WordPress-based booking systems.

The primary impact of CVE-2026-1537 is unauthorized disclosure of sensitive customer and appointment data, which can lead to privacy breaches and loss of customer trust. For European organizations, this raises significant concerns under GDPR, as personal data exposure without consent can result in regulatory fines and reputational damage. The vulnerability does not affect data integrity or availability, but the confidentiality breach alone is critical in sectors handling sensitive client information, such as healthcare, legal services, and financial consulting. Attackers could leverage the exposed data for phishing, social engineering, or identity theft. Organizations using LatePoint for appointment management may face operational disruptions if customers lose confidence in their data protection practices. The ease of exploitation without authentication increases the risk of widespread data scraping or targeted reconnaissance by malicious actors. Although no active exploitation is known, the vulnerability's presence in a popular WordPress plugin amplifies its potential impact across multiple industries in Europe.

1. Monitor the LatePoint plugin vendor’s official channels for security patches addressing CVE-2026-1537 and apply updates immediately upon release. 2. Until a patch is available, implement web application firewall (WAF) rules to block or restrict access to the load_step() function or related endpoints from unauthenticated users. 3. Restrict access to the WordPress admin and plugin endpoints using IP whitelisting or VPN access where feasible. 4. Conduct a thorough audit of booking data exposure and review logs for any suspicious access patterns targeting the plugin’s endpoints. 5. Consider temporarily disabling the LatePoint plugin if the risk of data exposure outweighs operational needs. 6. Educate staff and customers about potential phishing risks stemming from exposed data. 7. Implement strict role-based access controls within WordPress to minimize unnecessary permissions. 8. Regularly back up booking data and ensure backups are securely stored to prevent data loss from potential follow-up attacks. 9. Review and update privacy policies and incident response plans to address potential data breaches involving appointment data.