Auth bypass in Latepoint – Calendar Booking Plugin For Appointments And Events
CVE-2026-5234
The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action…
Vulnerability class: IDOR (Insecure Direct Object Reference)
EPSS: 0.001 (30.3th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.
Affected products
Weakness classification (CWE)
References
- www.wordfence.com/threat-intel/vulnerabilities/id/afec4c8c-a18d-4907-8879-2412f…
- plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_conne…
- plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_…
- plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_conne…
- plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_…
- plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_conne…
- plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_…
- plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_conne…
- plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_…
- plugins.trac.wordpress.org/changeset/3505127/latepoint/trunk/lib/controllers/st…
Frequently asked questions
- What is CVE-2026-5234?
- CVE-2026-5234 is a medium-severity vulnerability in Latepoint – Calendar Booking Plugin For Appointments And Events, classified under Authorization Bypass Through User-Controlled Key. CVSS score: 5.3/10. Published 2026-04-17.
- How severe is CVE-2026-5234?
- Medium severity. CVSS v3 base score is 5.3 out of 10.