[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fdwB0KnjX96ieA9KljV51eNNSGdw03NZhQe6Eh3BfzD4":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2026-1537","latepoint-calendar-booking-plugin-for-appointments-and-events-missing-authorization-to-booking-details-exposure","LatePoint – Calendar Booking Plugin for Appointments and Events \u003C= 5.2.6 - Missing Authorization to Booking Details Exposure","The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to view booking information including customer names, email addresses, phone numbers, appointment times, and service details.","latepoint",null,"\u003C=5.2.6","5.2.7","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Missing Authorization","2026-02-11 13:37:48","2026-02-12 02:23:25",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fc18ad885-52a8-467b-83f2-aeb0c8be8be0?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2026-1537 - LatePoint Booking Details Exposure\n\n## 1. Vulnerability Summary\nThe LatePoint plugin (\u003C= 5.2.6) contains a missing authorization vulnerability within its AJAX routing system, specifically targeting the `load_step()` function. The plugin uses a custom routing mechanism where requests are funneled through a central AJAX handler. The `load_step` method, intended to transition users through the booking wizard steps, fails to validate whether the requester has permission to view the details of a specific `booking_id`. Consequently, an unauthenticated attacker can supply a booking ID and retrieve sensitive information including customer names, email addresses, phone numbers, and appointment specifics.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Actions:** `latepoint_route_call` (authenticated) and `wp_ajax_nopriv_latepoint_route_call` (unauthenticated).\n*   **Vulnerable Route:** `bookings__load_step` (Inferred from LatePoint's `controller__action` routing convention).\n*   **Payload Parameter:** `booking_id` or `id` passed via `POST`.\n*   **Authentication:** None required (unauthenticated).\n*   **Preconditions:** At least one booking must exist in the system for data to be exposed.\n\n## 3. Code Flow\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with `action=latepoint_route_call`.\n2.  **Routing:** The request is handled by `OsRouterHelper::route()`. LatePoint parses the `route` parameter (e.g., `bookings__load_step`).\n3.  **Controller Dispatch:** The router instantiates `OsBookingsController` and calls the `load_step()` method.\n4.  **Vulnerable Logic (Inferred):**\n    *   `load_step()` retrieves the `booking_id` from the `$_POST` or `$_GET` array.\n    *   It fetches the booking object: `$booking = new OsBookingModel($booking_id);`.\n    *   It determines which step to display (often the \"verify\" or \"confirmation\" step).\n    *   **The Flaw:** The code lacks a check such as `if ($booking->customer_id != $current_customer_id && !current_user_can('manage_options'))`.\n5.  **Data Sink:** The controller renders a template (view) containing the booking details and returns it as a JSON response or raw HTML.\n\n## 4. Nonce Acquisition Strategy\nLatePoint typically uses a localized JavaScript object to manage its AJAX operations. \n\n1.  **Identify the Script:** The plugin enqueues its core JS on pages containing the booking shortcode.\n2.  **Shortcode:** `[latepoint_book_button]` or `[latepoint_booking_form]`.\n3.  **Strategy:**\n    *   Create a public page with the shortcode: `wp post create --post_type=page --post_status=publish --post_title=\"Booking\" --post_content='[latepoint_booking_form]'`.\n    *   Navigate to this page.\n    *   Extract the nonce from the `latepoint_helper` or `latepoint_wizard_vars` object.\n4.  **JS Verification:** Use `browser_eval` to find the nonce:\n    *   `browser_eval(\"window.latepoint_helper?.latepoint_token\")` (Inferred identifier).\n    *   *Note:* If the plugin allows unauthenticated routing without a nonce for the wizard (common in booking plugins to avoid session expiration issues), the request may work with an empty or omitted nonce.\n\n## 5. Exploitation Strategy\nThe goal is to request the \"verify\" step for a known or guessed booking ID.\n\n*   **Request Method:** `POST`\n*   **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Content-Type:** `application\u002Fx-www-form-urlencoded`\n*   **Payload:**\n    ```\n    action=latepoint_route_call&route=bookings__load_step&id=\u003CBOOKING_ID>&step_name=verify\n    ```\n    *(Note: `step_name` might also be `contact`, `payment`, or `confirmation` depending on the exact version's view names.)*\n\n### Step-by-Step Plan:\n1.  **Setup Data:** Ensure a booking exists (see Test Data Setup).\n2.  **Extract Nonce:** (If required) Navigate to the page with the shortcode and extract the token.\n3.  **Perform Attack:** Use `http_request` to call the route with an incremental `id`.\n4.  **Capture Response:** Analyze the `html` or `data` field in the JSON response for PII strings (Email, Phone, Name).\n\n## 6. Test Data Setup\nTo simulate a populated environment:\n1.  **Create a Customer:**\n    `wp eval \"if(!class_exists('OsCustomerModel')) { \u002F* load plugin *\u002F } $customer = new OsCustomerModel(); $customer->set_variables(['first_name' => 'Vulnerable', 'last_name' => 'User', 'email' => 'victim@example.com'])->save();\"`\n2.  **Create a Booking:**\n    `wp eval \"$booking = new OsBookingModel(); $booking->set_variables(['customer_id' => 1, 'service_id' => 1, 'agent_id' => 1, 'start_date' => '2026-01-01', 'start_time' => 600, 'end_time' => 660, 'status' => 'approved'])->save();\"`\n3.  **Publish Booking Page:**\n    `wp post create --post_type=page --post_status=publish --post_title=\"Book\" --post_content='[latepoint_booking_form]'`\n\n## 7. Expected Results\n*   **Status Code:** 200 OK.\n*   **Response Body:** A JSON object containing an `html` key.\n*   **Evidence:** Inside the `html` string, look for:\n    *   `\u003Cspan class=\"value\">victim@example.com\u003C\u002Fspan>`\n    *   Specific customer labels like `latepoint-customer-info`.\n    *   The booking ID and date\u002Ftime.\n\n## 8. Verification Steps\nAfter the exploit attempt, verify the data matches the database:\n1.  Check the booking ID used in the exploit:\n    `wp db query \"SELECT * FROM wp_latepoint_bookings WHERE id = \u003CID>\"`\n2.  Compare the output email\u002Fname with the values returned in the `http_request` response.\n\n## 9. Alternative Approaches\n*   **Route Variation:** If `bookings__load_step` is restricted, try `bookings__print_order_confirmation` or `bookings__get_customer_details`.\n*   **Parameter Variation:** Try `booking_id` instead of `id`.\n*   **Direct View Access:** LatePoint sometimes allows direct template loading via `latepoint_get_template_part`. Check if the `verify` step template can be loaded directly through the router.\n*   **ID Brute Forcing:** Since booking IDs are sequential integers, script a loop to iterate from 1 to 100 to demonstrate mass exposure.","The LatePoint plugin for WordPress (\u003C= 5.2.6) suffers from an insecure direct object reference (IDOR) vulnerability in its AJAX routing system. Unauthenticated attackers can supply a booking ID to the `load_step` action and retrieve sensitive booking information, including customer names, emails, and phone numbers, because the plugin fails to verify if the requester is authorized to view the specific booking.","\u002F\u002F lib\u002Fcontrollers\u002Fbookings_controller.php\n\npublic function load_step() {\n  $booking_id = $this->get_param('id');\n  $booking = new OsBookingModel($booking_id);\n\n  \u002F\u002F Vulnerability: No authorization check to ensure the current user \n  \u002F\u002F is either an admin or the owner of the booking.\n  $this->vars['booking'] = $booking;\n  $this->format_render(__FUNCTION__);\n}","--- a\u002Flib\u002Fcontrollers\u002Fbookings_controller.php\n+++ b\u002Flib\u002Fcontrollers\u002Fbookings_controller.php\n@@ -102,6 +102,11 @@\n   public function load_step() {\n     $booking_id = $this->get_param('id');\n     $booking = new OsBookingModel($booking_id);\n+\n+    if (!OsAuthHelper::is_admin_logged_in() && !OsAuthHelper::is_current_customer($booking->customer_id)) {\n+      wp_send_json_error(['message' => 'Unauthorized']);\n+      return;\n+    }\n+\n     $this->vars['booking'] = $booking;\n     $this->format_render(__FUNCTION__);\n   }","1. Identify a WordPress site running LatePoint \u003C= 5.2.6.\n2. Locate the AJAX endpoint at `\u002Fwp-admin\u002Fadmin-ajax.php`.\n3. Identify the required action (usually `latepoint_route_call`) and potentially extract a nonce from the source of a page containing a booking shortcode (e.g., `latepoint_helper.latepoint_token`).\n4. Craft a POST request to the AJAX endpoint with the following parameters: `action=latepoint_route_call`, `route=bookings__load_step`, `id=[TARGET_BOOKING_ID]`, and `step_name=verify` (or `confirmation`).\n5. Submit the request unauthenticated. Since booking IDs are typically sequential integers, an attacker can iterate through IDs to scrape data.\n6. The server response will contain a JSON object with an `html` field containing the rendered template for the requested step, which includes PII such as customer names, email addresses, and phone numbers.","gemini-3-flash-preview","2026-04-21 00:16:21","2026-04-21 00:18:05",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","5.2.6","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags\u002F5.2.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatepoint.5.2.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags\u002F5.2.7","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatepoint.5.2.7.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags"]