🔐 CVE Alert

CVE-2026-5356

HIGH 7.5

LatePoint - Calendar Booking Plugin for Appointments and Events <= 5.4.0 - Unauthenticated Stripe PaymentIntent Amount-Binding Bypass

CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 5.4.0. This is due to the plugin's Stripe Connect payment processor accepting a client-supplied PaymentIntent ID. This makes it possible for unauthenticated attackers to pay an arbitrary amount by supplying a previously succeeded PaymentIntent token.

CWE CWE-862
Vendor latepoint
Product latepoint – calendar booking plugin for appointments and events
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for latepoint latepoint – calendar booking plugin for appointments and events

Be the first to know when new high vulnerabilities affecting latepoint latepoint – calendar booking plugin for appointments and events are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability

Affected Versions

latepoint / LatePoint – Calendar Booking Plugin for Appointments and Events
0 ≤ 5.4.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗
wordfence.com: https://www.wordfence.com/threat-intel/vulnerabilities/id/1b1338c4-36a8-47b0-b3cf-c5dc690f8c1c?source=cve plugins.trac.wordpress.org: https://plugins.trac.wordpress.org/changeset/3509569/latepoint

Credits

Andrés Cruciani