CVE-2026-5365 Overview
CVE-2026-5365 is a Cross-Site Request Forgery (CSRF) vulnerability [CWE-352] affecting the LatePoint plugin for WordPress in all versions up to and including 5.3.2. The flaw stems from missing nonce verification on the request_cancellation() function within the customer cabinet controller. Unauthenticated attackers can cancel a logged-in customer's bookings by tricking the customer into clicking a malicious link or visiting a crafted page. Exploitation requires user interaction but no authentication on the attacker side.
Critical Impact
A successful CSRF attack allows remote unauthenticated actors to cancel arbitrary bookings belonging to authenticated LatePoint customers, disrupting appointment scheduling integrity.
Affected Products
- LatePoint plugin for WordPress, versions through 5.3.2
- Fixed in LatePoint version 5.4.0
- WordPress sites using LatePoint customer cabinet functionality
Discovery Timeline
- 2026-05-14 - CVE-2026-5365 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-5365
Vulnerability Analysis
The LatePoint plugin exposes a request_cancellation() handler in lib/controllers/customer_cabinet_controller.php that processes booking cancellation requests for authenticated customers. The handler does not validate a WordPress nonce or any anti-CSRF token before performing the state-changing cancellation action. Any cross-origin request that carries the victim's authenticated session cookies will be accepted as legitimate. The attack vector is network-based and requires the victim to interact with attacker-controlled content such as a hyperlink, image tag, or auto-submitting form.
Root Cause
The root cause is the absence of nonce verification on a state-changing endpoint. WordPress provides wp_verify_nonce() and check_admin_referer() primitives specifically to defeat CSRF, but the affected controller method omits these checks. Without server-side validation that the request originated from a trusted page, the browser-attached session cookie alone is treated as sufficient authorization.
Attack Vector
An attacker hosts a page containing a forged GET or POST request targeting the LatePoint cancellation endpoint. When a logged-in LatePoint customer visits the page or clicks an attacker-supplied link, the browser submits the request with valid session cookies. The plugin processes the cancellation as if the customer initiated it. The vulnerability does not allow arbitrary account takeover or data exfiltration, but it does break booking integrity. Technical specifics of the patched code path are available in the WordPress Change Log Entry.
Detection Methods for CVE-2026-5365
Indicators of Compromise
- Unexpected booking cancellation events in LatePoint logs that lack a matching customer session navigation pattern
- HTTP Referer headers on cancellation requests pointing to external or unrelated domains
- Bursts of cancellation requests originating from a single IP within a short window
- Customer complaints about appointments being cancelled without their action
Detection Strategies
- Inspect WordPress access logs for requests to LatePoint cancellation endpoints with cross-origin or empty Referer headers
- Correlate cancellation database writes with user-agent and IP changes versus the customer's normal session activity
- Deploy a web application firewall rule that flags state-changing LatePoint requests missing a nonce parameter
Monitoring Recommendations
- Enable verbose logging on the LatePoint customer cabinet controller and forward logs to a central SIEM
- Track the rate and source distribution of booking cancellations and alert on statistical anomalies
- Monitor outbound email confirmations for cancellation notifications that customers did not request
How to Mitigate CVE-2026-5365
Immediate Actions Required
- Upgrade the LatePoint plugin to version 5.4.0 or later on every WordPress site that uses it
- Audit recent booking cancellations for the past several weeks and validate them with affected customers
- Restrict access to the WordPress admin and customer cabinet behind a WAF capable of CSRF heuristics
Patch Information
The vendor addressed the issue in LatePoint 5.4.0 by adding nonce verification to the request_cancellation() function. The code change is documented in the WordPress Change Log Entry and summarized in the Wordfence Vulnerability Insight. Administrators should update through the WordPress plugin dashboard or by replacing the plugin files manually.
Workarounds
- If patching is delayed, disable the LatePoint customer cabinet feature until the upgrade is applied
- Deploy WAF rules that require a valid Referer or Origin header matching the site domain on all LatePoint POST and GET state-changing routes
- Educate customers to log out of the booking portal before browsing untrusted sites or clicking unsolicited links
# Update LatePoint via WP-CLI to the patched release
wp plugin update latepoint --version=5.4.0
wp plugin get latepoint --field=version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
