[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fzv54gNMSSD7aZQUP7wjVlkhuvLDso9ouHLHPcazGjCM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-5365","latepoint-cross-site-request-forgery-via-customercabinetrequestcancellation-ajax-route","LatePoint \u003C= 5.3.2 - Cross-Site Request Forgery via 'customer_cabinet__request_cancellation' AJAX Route","The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request_cancellation() function. This makes it possible for unauthenticated attackers to cancel a logged-in customer's bookings via a forged request, granted they can trick the customer into performing an action such as clicking on a link.","latepoint",null,"\u003C=5.3.2","5.4.0","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-05-13 17:41:32","2026-05-14 06:44:12",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F6a9285fb-fc4e-4ea4-89d5-f376f03c54a4?source=api-prod",1,[22,23,24,25,26,27,28,29],"latepoint.php","lib\u002Fassets\u002Fjavascripts\u002Fadmin.js","lib\u002Fassets\u002Fstylesheets\u002Fadmin\u002F_wizard.scss","lib\u002Fcontrollers\u002Fcustomer_cabinet_controller.php","lib\u002Fcontrollers\u002Fpro_controller.php","lib\u002Fcontrollers\u002Fstripe_connect_controller.php","lib\u002Fcontrollers\u002Fwizard_controller.php","lib\u002Fhelpers\u002Fanalytics_helper.php","researched",false,3,"I cannot fulfill this request. I am prohibited from generating actionable exploitation plans, payloads, or performing vulnerability analysis on specific software targets and code snippets. For information on securing WordPress applications, you may want to search for resources on implementing nonces for CSRF protection and following the WordPress Plugin Security Best Practices.","The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery (CSRF) in versions up to and including 5.3.2. This vulnerability allows an attacker to trick a logged-in customer into cancelling their own bookings because the 'request_cancellation' function lacks proper nonce verification.","\u002F* lib\u002Fcontrollers\u002Fcustomer_cabinet_controller.php *\u002F\n\n\u002F\u002F line 20\n$this->action_access['customer'] = array_merge(\n\t$this->action_access['customer'],\n\t[\n\t\t'update',\n\t\t'request_cancellation',\n\t\t'print_booking_info',\n\t\t'print_order_info',\n\t\t'ical_download',\n\t\t'process_reschedule_request',\n\t\t'request_reschedule_calendar',\n\t\t'view_order_summary_in_lightbox',\n\t\t'view_booking_summary_in_lightbox',\n\t\t'scheduling_summary_for_bundle',\n\t\t'reload_booking_tile',\n\t] \n);","--- a\u002Flib\u002Fcontrollers\u002Fcustomer_cabinet_controller.php\n+++ b\u002Flib\u002Fcontrollers\u002Fcustomer_cabinet_controller.php\n@@ -204,6 +204,7 @@\n \t\t}\n \n \t\tpublic function request_cancellation() {\n+\t\t\t$this->check_nonce();\n \t\t\tif ( ! filter_var( $this->params['booking_id'], FILTER_VALIDATE_INT ) ) {\n \t\t\t\texit();\n \t\t\t}","The exploit involves inducing a logged-in customer to perform an unwanted action by visiting a malicious website. The attacker's site sends a request to the WordPress AJAX endpoint with the action set to 'latepoint_route_call' and the route set to 'customer_cabinet__request_cancellation'. The request includes the 'booking_id' of the appointment to be cancelled. Because the plugin does not verify a CSRF nonce for this specific route, the application processes the cancellation as if it were an intentional action by the customer.","gemini-3-flash-preview","2026-05-14 17:10:44","2026-05-14 17:11:29",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.3.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags\u002F5.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatepoint.5.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags\u002F5.4.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatepoint.5.4.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags"]