CVE-2026-5234: CWE-639 Authorization Bypass Through User-Controlled Key in latepoint LatePoint – Calendar Booking Plugin for Appointments and Events
The LatePoint WordPress plugin up to version 5. 3. 2 contains an insecure direct object reference vulnerability (CWE-639) in the OsStripeConnectController::create_payment_intent_for_transaction action. This action is publicly accessible without authentication and allows unauthenticated attackers to enumerate invoice IDs and create unauthorized transaction intent records. Sensitive financial data including invoice IDs, order IDs, customer IDs, charge amounts, and Stripe payment intent client secrets can be exposed. Other invoice-related actions in the plugin require cryptographic access keys, but this particular action does not, leading to the authorization bypass. The vulnerability has a CVSS score of 5. 3 (medium severity). No official patch or remediation guidance is currently available from the vendor.
AI Analysis
Technical Summary
CVE-2026-5234 is an authorization bypass vulnerability in the LatePoint – Calendar Booking Plugin for WordPress, specifically affecting versions up to 5.3.2. The vulnerability arises because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action without requiring authentication or ownership verification. It loads invoices by sequential integer invoice_id, unlike other invoice actions that require a cryptographic UUID access key. This flaw enables unauthenticated attackers to enumerate valid invoice IDs through error messages and create unauthorized transaction intent records containing sensitive financial information. On sites configured with Stripe Connect, the vulnerability additionally leaks Stripe payment_intent_client_secret tokens and transaction_intent_key values, exposing payment amounts and potentially sensitive transaction data. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and has a CVSS 3.1 score of 5.3, indicating medium severity. No patch or official remediation has been disclosed at this time.
Potential Impact
An unauthenticated attacker can enumerate valid invoice IDs and create unauthorized transaction intent records in the database, exposing sensitive financial data such as invoice IDs, order IDs, customer IDs, charge amounts, and Stripe payment intent client secrets. This could lead to unauthorized access to payment-related information and potential misuse of Stripe payment tokens. The vulnerability does not impact confidentiality of the entire system but leaks sensitive transaction data, which may facilitate further attacks or fraud.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict public access to the OsStripeConnectController::create_payment_intent_for_transaction action if possible, or disable the plugin if feasible. Monitor for updates from the LatePoint vendor and apply patches promptly once available.
CVE-2026-5234: CWE-639 Authorization Bypass Through User-Controlled Key in latepoint LatePoint – Calendar Booking Plugin for Appointments and Events
Description
The LatePoint WordPress plugin up to version 5. 3. 2 contains an insecure direct object reference vulnerability (CWE-639) in the OsStripeConnectController::create_payment_intent_for_transaction action. This action is publicly accessible without authentication and allows unauthenticated attackers to enumerate invoice IDs and create unauthorized transaction intent records. Sensitive financial data including invoice IDs, order IDs, customer IDs, charge amounts, and Stripe payment intent client secrets can be exposed. Other invoice-related actions in the plugin require cryptographic access keys, but this particular action does not, leading to the authorization bypass. The vulnerability has a CVSS score of 5. 3 (medium severity). No official patch or remediation guidance is currently available from the vendor.
CVSS v3.1
Score 5.3medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-5234 is an authorization bypass vulnerability in the LatePoint – Calendar Booking Plugin for WordPress, specifically affecting versions up to 5.3.2. The vulnerability arises because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action without requiring authentication or ownership verification. It loads invoices by sequential integer invoice_id, unlike other invoice actions that require a cryptographic UUID access key. This flaw enables unauthenticated attackers to enumerate valid invoice IDs through error messages and create unauthorized transaction intent records containing sensitive financial information. On sites configured with Stripe Connect, the vulnerability additionally leaks Stripe payment_intent_client_secret tokens and transaction_intent_key values, exposing payment amounts and potentially sensitive transaction data. The vulnerability is classified under CWE-639 (Authorization Bypass Through User-Controlled Key) and has a CVSS 3.1 score of 5.3, indicating medium severity. No patch or official remediation has been disclosed at this time.
Potential Impact
An unauthenticated attacker can enumerate valid invoice IDs and create unauthorized transaction intent records in the database, exposing sensitive financial data such as invoice IDs, order IDs, customer IDs, charge amounts, and Stripe payment intent client secrets. This could lead to unauthorized access to payment-related information and potential misuse of Stripe payment tokens. The vulnerability does not impact confidentiality of the entire system but leaks sensitive transaction data, which may facilitate further attacks or fraud.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict public access to the OsStripeConnectController::create_payment_intent_for_transaction action if possible, or disable the plugin if feasible. Monitor for updates from the LatePoint vendor and apply patches promptly once available.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-31T14:05:18.117Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e1b7b882d89c981f6ce74b
Added to database: 4/17/2026, 4:31:52 AM
Last enriched: 4/24/2026, 4:16:04 PM
Last updated: 5/31/2026, 6:32:39 PM
Views: 80
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.