LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID

CVE	CVE-2026-5234
State	PUBLISHED
Assigner	Wordfence
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-04-17 05:16:18 UTC
Updated	2026-04-17 05:16:18 UTC
Description	The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice.

Primary CVSS: v3.1 5.3 MEDIUM from [email protected]

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS: 0.000700000 probability, percentile 0.213270000 (date 2026-04-18)

Problem Types: CWE-639 | CWE-639 CWE-639 Authorization Bypass Through User-Controlled Key

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	5.3	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`
3.1	CNA	DECLARED	5.3	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Source	Vendor	Product	Version	Platforms
CNA	Latepoint	LatePoint Calendar Booking Plugin For Appointments And Events	affected 5.3.2 semver	Not specified

Reference	Source	Link	Tags
plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_c...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_contro...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_contro...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_c...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/changeset/3505127/latepoint/trunk/lib/controllers/stripe_conn...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_c...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/latepoint/tags/5.2.9/lib/controllers/stripe_connect_c...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_contro...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_connect_contro...	[email protected]	plugins.trac.wordpress.org
www.wordfence.com/threat-intel/vulnerabilities/id/afec4c8c-a18d-4907-8879-2412f...	[email protected]	www.wordfence.com
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

CNA: darkestmode (en)

Source	Time	Event
CNA	2026-03-31T14:20:32.000Z	Vendor Notified
CNA	2026-04-16T15:19:09.000Z	Disclosed

There are currently no legacy QID mappings associated with this CVE.