CVSS base score
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
What the vulnerability does
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to view booking information including customer names, email addresses, phone numbers, appointment times, and service details.
Explanation of Vulnerability in Simple Terms
LatePoint versions up to 5.2.6 lack proper authorization checks, allowing unauthenticated attackers to read sensitive information through the plugin's API or interface. No user interaction is required. The vulnerability exposes confidential data but does not allow modification or service disruption. Site administrators should update to a version newer than 5.2.6.
What an attacker can do
Read sensitive information from the plugin without logging in.
Potential impact on your site
Confidential booking, appointment, or user data may be exposed to unauthenticated visitors.
Conditions required to exploit
Network access to the site; no authentication or user interaction required.
Key dates
External resources
Related vulnerabilities
