Volerion logoVolerion
Volerion logoVolerion

LatePoint Calendar Booking Plugin for WordPress Insecure Direct Object Reference Vulnerability

Vulnerability

A vulnerability allowing Insecure Direct Object Reference (IDOR) has been identified in the LatePoint Calendar Booking Plugin for WordPress, affecting all versions through 5.1.92. The issue arises in the 'view_booking_summary_in_lightbox' function, where insufficient validation on user-controlled keys allows unauthenticated attackers to access appointment details, including customer names and email addresses.

Impact

Exploitation of this vulnerability could lead to unauthorized access to sensitive appointment information, such as customer names and email addresses.

Reproduction

To reproduce this vulnerability, send a request to the 'view_booking_summary_in_lightbox' endpoint with a user-controlled 'booking_id' parameter. The absence of proper validation allows the request to be processed, revealing the booking details in a lightbox format.

Remediation

Users are advised to update the LatePoint Calendar Booking Plugin for WordPress to version 5.1.93 or later.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
5.2
impact
2.5
exploitability
7.4
remediation
7.7
relevance
0.0
threat
4.8
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.