PT-2026-56400 · Latepoint · Latepoint – Calendar Booking Plugin For Appointments/Events

Andrés Cruciani

·

Published

2026-07-08

·

Updated

2026-07-08

·

CVE-2026-5356

CVSS v3.1

7.5

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Improper Input Validation in all versions up to, and including, 5.4.0. This is due to the plugin's Stripe Connect payment processor accepting a client-supplied PaymentIntent ID. This makes it possible for unauthenticated attackers to pay an arbitrary amount by supplying a previously succeeded PaymentIntent token.

Fix

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-5356

Affected Products

Latepoint – Calendar Booking Plugin For Appointments/Events