Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-12657

CVE-2026-12657: LatePoint Plugin Auth Bypass Vulnerability

CVE-2026-12657 is an authentication bypass flaw in LatePoint Calendar Booking Plugin for WordPress that lets unauthenticated attackers book restricted admin-only services. This article covers technical details, affected versions, and mitigation.

Published:

CVE-2026-12657 Overview

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability [CWE-639] affecting all versions up to and including 5.6.2. The flaw resides in the service_id parameter, which lacks validation on a user-controlled key. Unauthenticated attackers can create approved bookings against services explicitly restricted to admins and agents. The bypass works through the params[booking][service_id] parameter in steps__load_step and the presets[selected_service] parameter in steps__start, both of which are publicly accessible without authentication.

Critical Impact

Unauthenticated attackers can create approved bookings against admin/agent-only services, consuming restricted appointment capacity and triggering unauthorized bookings.

Affected Products

  • LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress
  • All versions up to and including 5.6.2
  • WordPress sites using the LatePoint booking system

Discovery Timeline

  • 2026-07-02 - CVE CVE-2026-12657 published to NVD
  • 2026-07-02 - Last updated in NVD database

Technical Details for CVE-2026-12657

Vulnerability Analysis

The vulnerability is an Insecure Direct Object Reference in the LatePoint plugin's booking workflow. The plugin exposes two unauthenticated endpoints, steps__load_step and steps__start, that accept a service identifier from the client. The application uses this identifier to look up and bind services to bookings without verifying that the requesting user is authorized to book that service.

Services marked as restricted to admins or agents are enforced only at the user interface layer. The backend accepts any valid service_id value from a request. Attackers can therefore submit crafted requests referencing restricted services and receive approved bookings against them.

Root Cause

The root cause is missing authorization validation on the service_id parameter. The controller code at steps_controller.php lines 244 and 341 and helper logic at steps_helper.php lines 1202, 1618, and 1710 treat the client-supplied identifier as trusted. No check verifies whether the current session has permission to book the referenced service before creating the booking record.

Attack Vector

An unauthenticated attacker sends an HTTP request to the public booking endpoint with a params[booking][service_id] or presets[selected_service] value referencing a restricted service. The plugin processes the request and creates an approved booking. Repeated requests can exhaust appointment capacity for restricted services and produce unauthorized reservations.

The vulnerability requires only network access to a WordPress site running a vulnerable LatePoint version. No user interaction or authentication is required. For technical details on the vulnerable code paths, refer to the Wordfence Vulnerability Report and the WordPress Plugin Source Code.

Detection Methods for CVE-2026-12657

Indicators of Compromise

  • Bookings appearing for services configured as admin- or agent-only without a corresponding administrative session
  • Requests to admin-ajax.php or REST endpoints invoking steps__load_step or steps__start from unauthenticated clients
  • Anomalous appointment volume against restricted service IDs
  • Unexpected service_id values in POST bodies referencing internal-only services

Detection Strategies

  • Review web server access logs for POST requests containing params[booking][service_id] or presets[selected_service] parameters from unauthenticated sessions
  • Audit the LatePoint bookings database table for approved bookings tied to services flagged as restricted
  • Correlate booking creation timestamps with source IP addresses lacking prior authenticated activity

Monitoring Recommendations

  • Enable WordPress activity logging for booking creation events and monitor volume trends
  • Alert on repeated requests to LatePoint step endpoints from a single source IP within short intervals
  • Track booking counts against restricted services and flag any nonzero count as suspicious

How to Mitigate CVE-2026-12657

Immediate Actions Required

  • Update the LatePoint plugin to a version newer than 5.6.2 that includes the authorization fix referenced in the WordPress Changeset
  • Audit existing bookings for unauthorized entries against admin- or agent-only services and remove them
  • Review web application firewall rules to block requests referencing restricted service identifiers from unauthenticated sources

Patch Information

The vendor addressed the vulnerability in a version subsequent to 5.6.2. The fix is documented in the WordPress plugin changeset 3584059. Administrators should apply the update through the WordPress plugin management interface or by manually replacing plugin files with the patched version.

Workarounds

  • Temporarily deactivate the LatePoint plugin until the patched version is applied
  • Restrict access to admin-ajax.php endpoints handling LatePoint step actions using web server rules or a WAF
  • Configure restricted services to be hidden or disabled at the database level until the update is deployed
bash
# Configuration example: block LatePoint step endpoints at the web server for unauthenticated clients
# Nginx example rule
location = /wp-admin/admin-ajax.php {
    if ($arg_action ~* "^(steps__load_step|steps__start)$") {
        return 403;
    }
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.