CVE-2026-5356
LatePoint - Calendar Booking Plugin for Appointments and Events <= 5.4.0 - Unauthenticated Stripe PaymentIntent Amount-Binding Bypass
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 5.4.0. This is due to the plugin's Stripe Connect payment processor accepting a client-supplied PaymentIntent ID. This makes it possible for unauthenticated attackers to pay an arbitrary amount by supplying a previously succeeded PaymentIntent token.
| CWE | CWE-862 |
| Vendor | latepoint |
| Product | latepoint – calendar booking plugin for appointments and events |
| Published | Jul 8, 2026 |
| Last Updated | Jul 8, 2026 |
Stay Ahead of the Next One
Get instant alerts for latepoint latepoint – calendar booking plugin for appointments and events
Be the first to know when new high vulnerabilities affecting latepoint latepoint – calendar booking plugin for appointments and events are published — delivered to Slack, Telegram or Discord.
Get Free Alerts →
Free · No credit card · 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
latepoint / LatePoint – Calendar Booking Plugin for Appointments and Events
0 ≤ 5.4.0
References
Credits
Andrés Cruciani