CVE-2026-1537 identifies a missing authorization vulnerability (CWE-862) in the LatePoint – Calendar Booking Plugin for WordPress, specifically in the load_step() function. This function lacks proper capability checks, allowing unauthenticated users to retrieve booking information without any privilege verification. The affected plugin versions include all releases up to and including 5.2.6. The exposed data includes personally identifiable information (PII) such as customer names, email addresses, phone numbers, appointment times, and service details. The vulnerability is remotely exploitable over the network without requiring authentication or user interaction, making it accessible to any attacker aware of the flaw. The CVSS v3.1 base score is 5.3, indicating a medium severity primarily due to confidentiality impact. No integrity or availability impacts are noted. No official patches or exploit code are currently available, but the vulnerability is publicly disclosed and documented in the CVE database. The flaw arises from a failure to implement proper access control checks in the plugin’s code, a common security oversight in web applications handling sensitive user data. Organizations using LatePoint for appointment scheduling should consider this a privacy risk and take immediate steps to mitigate exposure until a patch is released.

The primary impact of CVE-2026-1537 is unauthorized disclosure of sensitive customer booking information, which can lead to privacy violations and potential regulatory non-compliance (e.g., GDPR, CCPA). Exposure of PII such as names, emails, and phone numbers can facilitate targeted phishing, social engineering, and identity theft attacks. While the vulnerability does not allow modification or deletion of data, the confidentiality breach alone can damage organizational reputation and customer trust. For businesses relying on LatePoint for appointment management, especially those in healthcare, legal, or financial sectors, the risk is heightened due to the sensitivity of the data involved. The vulnerability’s ease of exploitation without authentication increases the likelihood of opportunistic attacks. Although no known exploits are reported in the wild, the public disclosure may prompt attackers to develop exploit tools. Organizations worldwide using this plugin face potential data breaches, which could result in legal liabilities and financial penalties.

1. Monitor the LatePoint vendor’s official channels for security patches addressing CVE-2026-1537 and apply updates immediately upon release. 2. Until a patch is available, restrict access to the plugin’s endpoints by implementing web application firewall (WAF) rules that block unauthenticated requests to the load_step() function or related API endpoints. 3. Employ IP whitelisting or VPN access controls to limit plugin access to trusted internal networks or users. 4. Conduct a thorough audit of all booking data exposed via the plugin and notify affected customers if a breach is suspected. 5. Review and harden WordPress user roles and permissions to ensure minimal privileges are granted. 6. Consider temporarily disabling the LatePoint plugin if the risk outweighs operational needs until a fix is deployed. 7. Implement logging and monitoring to detect unusual access patterns or data exfiltration attempts related to the plugin. 8. Educate staff about phishing risks that may arise from leaked customer data. These steps go beyond generic advice by focusing on immediate access restrictions and compensating controls tailored to this specific plugin vulnerability.