CVE-2026-5234 Overview
The LatePoint plugin for WordPress contains an Insecure Direct Object Reference (IDOR) vulnerability in all versions up to and including 5.3.2. This flaw exists in the OsStripeConnectController::create_payment_intent_for_transaction action, which is registered as a public action requiring no authentication. The action loads invoices using sequential integer invoice_id values without verifying an access_key or ownership, allowing unauthenticated attackers to enumerate and access sensitive financial data.
Critical Impact
Unauthenticated attackers can enumerate valid invoice IDs, create unauthorized transaction intent records containing sensitive financial data, and on sites with Stripe Connect configured, leak Stripe payment_intent_client_secret tokens and payment amounts for any invoice.
Affected Products
- LatePoint plugin for WordPress versions up to and including 5.3.2
Discovery Timeline
- 2026-04-17 - CVE-2026-5234 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-5234
Vulnerability Analysis
This vulnerability is classified as CWE-639 (Authorization Bypass Through User-Controlled Key), a type of Insecure Direct Object Reference flaw. The core issue lies in inconsistent authorization enforcement across the LatePoint plugin's invoice-handling actions.
While other invoice-related actions such as view_by_key, payment_form, and summary_before_payment in OsInvoicesController properly require a cryptographic UUID access_key for authorization, the create_payment_intent_for_transaction action in OsStripeConnectController bypasses this security control entirely. This action accepts sequential integer invoice_id parameters directly from user input without any verification.
The vulnerability enables attackers to perform multiple malicious operations: enumerate valid invoice IDs through error message oracles, create unauthorized transaction intent records in the database, and exfiltrate sensitive financial information including invoice_id, order_id, customer_id, and charge_amount values. On WordPress sites with Stripe Connect integration, the attack surface expands to include leakage of Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts.
Root Cause
The root cause is the absence of authorization checks in the OsStripeConnectController::create_payment_intent_for_transaction action. Unlike properly secured invoice actions that require a cryptographic UUID access_key, this action is registered as a public endpoint and accepts user-supplied invoice_id parameters without validating that the requester has legitimate access to the specified invoice. The reliance on predictable sequential integer identifiers instead of non-guessable tokens further exacerbates the vulnerability.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending HTTP requests to the create_payment_intent_for_transaction endpoint with sequential invoice_id values. The error responses serve as an oracle, allowing attackers to distinguish between valid and invalid invoice IDs. Once valid IDs are identified, attackers can extract sensitive financial data and, on Stripe Connect-enabled sites, obtain payment intent secrets that could facilitate further financial fraud.
The vulnerability exists in the Stripe Connect controller code, specifically in how invoice data is loaded without proper access verification. For detailed code analysis, refer to the WordPress Stripe Connect Code and the Wordfence Vulnerability Analysis.
Detection Methods for CVE-2026-5234
Indicators of Compromise
- Unusual volume of requests to the create_payment_intent_for_transaction endpoint from single IP addresses
- Sequential invoice_id parameter values in request logs indicating enumeration attempts
- Error responses revealing invoice existence to unauthenticated users
- Unauthorized transaction intent records appearing in the database
Detection Strategies
- Monitor web server access logs for requests to LatePoint's Stripe Connect controller endpoints containing sequential numeric invoice_id parameters
- Implement rate limiting and anomaly detection on payment-related API endpoints
- Configure Web Application Firewall (WAF) rules to detect IDOR enumeration patterns
- Review database audit logs for unexpected transaction intent record creation
Monitoring Recommendations
- Set up alerts for high-frequency requests to /wp-admin/admin-ajax.php with LatePoint Stripe actions
- Monitor for authentication failures followed by successful data access patterns
- Implement logging for all invoice and payment intent access attempts with source IP tracking
How to Mitigate CVE-2026-5234
Immediate Actions Required
- Update the LatePoint plugin to a patched version beyond 5.3.2 immediately
- Review database for unauthorized transaction intent records created by unauthenticated users
- Audit Stripe Connect configurations and rotate any potentially exposed API credentials
- Monitor for suspicious financial transactions linked to leaked payment intent secrets
Patch Information
A patch has been released to address this vulnerability. The fix can be reviewed in the WordPress Changeset Record. Site administrators should update to the latest version of the LatePoint plugin through the WordPress plugin repository.
Workarounds
- Temporarily disable the LatePoint plugin if an immediate update is not possible
- Implement Web Application Firewall rules to block unauthenticated requests to Stripe Connect controller endpoints
- Restrict access to the WordPress admin-ajax.php endpoint at the network level for untrusted IP ranges
- Enable additional logging on payment-related endpoints to detect exploitation attempts
# Example Apache .htaccess rule to temporarily restrict access
<Files "admin-ajax.php">
<If "%{QUERY_STRING} =~ /action=latepoint.*stripe/i">
Require ip 127.0.0.1
Require ip your_trusted_ip_range
</If>
</Files>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
