CVE-2025-3769

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.92 via the 'view_booking_summary_in_lightbox' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to retrieve appointment details such as customer names and email addresses.

CVSS v3 5.3 MEDIUM

5.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php
https://plugins.trac.wordpress.org/changeset/3291162/
https://www.wordfence.com/threat-intel/vulnerabilities/id/7e9acd26-c341-4ece-bcf1-102f953a4b4f?source=cve

Configurations

No configuration.

History

16 May 2025, 14:43

Type	Values Removed	Values Added
Summary		(es) El complemento LatePoint – Calendar Booking Plugin for Appointments and Events para WordPress es vulnerable a una Referencia Directa a Objetos Insegura en todas las versiones hasta la 5.1.92 incluida, a través de 'view_booking_summary_in_lightbox', debido a la falta de validación en una clave controlada por el usuario. Esto permite a atacantes no autenticados obtener detalles de las citas, como nombres y direcciones de correo electrónico de los clientes.

14 May 2025, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-05-14 12:15

Updated : 2025-05-16 14:43

NVD link : CVE-2025-3769

Mitre link : CVE-2025-3769

CVE.ORG link : CVE-2025-3769

JSON object : View

Products Affected

No product.

CWE

CWE-639

Authorization Bypass Through User-Controlled Key

5.3 /10