CVE-2025-3769 5.3 MEDIUM
Insecure Direct Object Reference (IDOR) in LatePoint plugin allows unauthenticated access to appointment details including customer names and email addresses.
| Product | LatePoint – Calendar Booking Plugin for Appointments and Events |
|---|---|
| Affected Versions | ≤ 5.1.92 |
| Fixed Version | 5.1.93 |
| CVSS Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| CWE | CWE-639 (Authorization Bypass Through User-Controlled Key) |
| Published | 2025-05-14 |
| Active installs | 100,000+ |
Description
The LatePoint plugin for WordPress is vulnerable to an Insecure Direct Object Reference (IDOR) in all versions up to and including 5.1.92. The vulnerability exists in the view_booking_summary_in_lightbox function due to inadequate validation of user-supplied parameters. This allows unauthenticated attackers to retrieve appointment details such as customer names and email addresses without any authentication, potentially exposing sensitive personal information from booking records.
Impact
An unauthenticated attacker can enumerate and access booking records containing customer PII (names, email addresses, appointment details) from any WordPress site running a vulnerable version of LatePoint.