Primary

Context

LatePoint Calendar Booking Plugin for WordPress Cross-Site Request Forgery Vulnerability

Vulnerability

Patched

A Cross-Site Request Forgery (CSRF) vulnerability exists in the LatePoint Calendar Booking Plugin for Appointments and Events on WordPress, affecting all versions through 5.2.5. The issue arises because the 'call_by_route_name' function in the routing layer validates user capabilities but does not enforce nonce verification. This flaw allows unauthenticated attackers to execute various administrative actions by sending forged requests, provided they can manipulate a site administrator into clicking a link or performing a similar action.

Impact

Exploitation of this vulnerability could lead to unauthorized administrative actions being performed on behalf of a site administrator.

Remediation

Users can update to version 5.2.6 or a newer patched version to address this vulnerability.

Added: Feb 14, 2026, 7:39 AM

Updated: Feb 14, 2026, 7:39 AM

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

7.0

remediation

7.7

relevance

2.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.2

impact

2.5

exploitability

7.0

remediation

7.7

relevance

2.8

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

LatePoint Calendar Booking Plugin for WordPress Cross-Site Request Forgery Vulnerability

Vulnerability

Impact

Remediation

Affected Products

LatePoint – Calendar Booking Plugin for Appointments and Events

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating