CVE-2025-3769

Name of the Vulnerable Software and Affected Versions: LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress versions up to, and including, 5.1.92

Description: The issue allows unauthenticated attackers to retrieve appointment details, such as customer names and email addresses, due to missing validation on a user-controlled key in the 'view booking summary in lightbox' endpoint. This enables attackers to access sensitive information without proper authorization.

Recommendations: For versions up to, and including, 5.1.92, consider disabling the view booking summary in lightbox feature until a patch is available to prevent unauthorized access to appointment details. Restrict access to sensitive information by implementing proper validation on user-controlled keys to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.