CVE-2026-5234: CWE-639 Authorization Bypass Through User-Controlled Key in latepoint LatePoint – Calendar Booking Plugin for Appointments and Events
The LatePoint WordPress plugin up to version 5. 3. 2 contains an insecure direct object reference vulnerability (CVE-2026-5234) that allows unauthenticated attackers to access and enumerate invoice records by their sequential IDs without proper authorization checks. This flaw exists because a public action loads invoices without verifying ownership or requiring an access key, unlike other invoice-related actions that use cryptographic UUID access keys. Exploitation can lead to unauthorized creation of transaction intent records containing sensitive financial data and leakage of Stripe payment intent secrets on sites using Stripe Connect.
AI Analysis
Technical Summary
CVE-2026-5234 is an authorization bypass vulnerability in the LatePoint WordPress plugin for calendar bookings, caused by the OsStripeConnectController::create_payment_intent_for_transaction action being publicly accessible without authentication or ownership verification. This allows attackers to enumerate invoice IDs and create unauthorized transaction intents with sensitive data including invoice_id, order_id, customer_id, charge_amount, and Stripe payment_intent_client_secret tokens. The vulnerability contrasts with other invoice actions that require cryptographic UUID access keys, indicating inconsistent access control implementation.
Potential Impact
An unauthenticated attacker can enumerate valid invoice IDs and create unauthorized transaction intent records containing sensitive financial information. On sites configured with Stripe Connect, the vulnerability also exposes Stripe payment intent client secrets and transaction keys, potentially compromising payment security. The CVSS score of 5.3 reflects a medium severity impact primarily due to information disclosure and unauthorized transaction creation without direct system compromise or denial of service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict public access to the OsStripeConnectController::create_payment_intent_for_transaction action or implement custom access controls to verify invoice ownership and require authentication. Monitor vendor channels for updates and apply official patches promptly once released.
CVE-2026-5234: CWE-639 Authorization Bypass Through User-Controlled Key in latepoint LatePoint – Calendar Booking Plugin for Appointments and Events
Description
The LatePoint WordPress plugin up to version 5. 3. 2 contains an insecure direct object reference vulnerability (CVE-2026-5234) that allows unauthenticated attackers to access and enumerate invoice records by their sequential IDs without proper authorization checks. This flaw exists because a public action loads invoices without verifying ownership or requiring an access key, unlike other invoice-related actions that use cryptographic UUID access keys. Exploitation can lead to unauthorized creation of transaction intent records containing sensitive financial data and leakage of Stripe payment intent secrets on sites using Stripe Connect.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-5234 is an authorization bypass vulnerability in the LatePoint WordPress plugin for calendar bookings, caused by the OsStripeConnectController::create_payment_intent_for_transaction action being publicly accessible without authentication or ownership verification. This allows attackers to enumerate invoice IDs and create unauthorized transaction intents with sensitive data including invoice_id, order_id, customer_id, charge_amount, and Stripe payment_intent_client_secret tokens. The vulnerability contrasts with other invoice actions that require cryptographic UUID access keys, indicating inconsistent access control implementation.
Potential Impact
An unauthenticated attacker can enumerate valid invoice IDs and create unauthorized transaction intent records containing sensitive financial information. On sites configured with Stripe Connect, the vulnerability also exposes Stripe payment intent client secrets and transaction keys, potentially compromising payment security. The CVSS score of 5.3 reflects a medium severity impact primarily due to information disclosure and unauthorized transaction creation without direct system compromise or denial of service.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict public access to the OsStripeConnectController::create_payment_intent_for_transaction action or implement custom access controls to verify invoice ownership and require authentication. Monitor vendor channels for updates and apply official patches promptly once released.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-31T14:05:18.117Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e1b7b882d89c981f6ce74b
Added to database: 4/17/2026, 4:31:52 AM
Last enriched: 4/17/2026, 4:47:12 AM
Last updated: 4/17/2026, 5:53:04 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.