CVE-2026-5234

The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create payment intent for transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice id without any access key or ownership verification. This is in contrast to other invoice-related actions (view by key, payment form, summary before payment) in OsInvoicesController which properly require a cryptographic UUID access key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice id, order id, customer id, charge amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment intent client secret tokens, transaction intent key values, and payment amounts for any invoice.