CVE-2026-5356: LatePoint WordPress Plugin Improper Input Validation Leading to Arbitrary Payments
An improper input validation vulnerability (CVE-2026-5356) in the LatePoint - Calendar Booking Plugin for Appointments and Events for WordPress, versions up to and including 5.4.0, allows unauthenticated attackers to exploit its Stripe Connect payment processor by supplying a previously succeeded PaymentIntent ID, resulting in the processing of arbitrary payments.
The LatePoint - Calendar Booking Plugin for Appointments and Events for WordPress, version 5.4.0 and earlier, contains a critical Improper Input Validation vulnerability (CVE-2026-5356). Discovered and published on July 8, 2026, this flaw allows unauthenticated attackers to exploit the plugin's Stripe Connect payment processor. By supplying a previously succeeded PaymentIntent ID from any legitimate Stripe transaction, attackers can effectively bypass authorization checks and force the system to process an arbitrary payment. This vulnerability is due to the plugin accepting client-supplied PaymentIntent IDs without sufficient re-validation, posing a significant risk of financial fraud and impacting the integrity of transactions for organizations utilizing the affected plugin versions.
Attack Chain
- An attacker identifies a WordPress website utilizing the LatePoint - Calendar Booking Plugin for Appointments and Events, specifically versions up to and including 5.4.0.
- The attacker identifies the specific endpoint for the plugin's Stripe Connect payment processor that handles PaymentIntent IDs.
- The attacker performs a legitimate, small-value transaction using Stripe (or obtains a PaymentIntent ID from a different source) to acquire a previously succeeded PaymentIntent ID.
- The attacker crafts a malicious HTTP request to the vulnerable LatePoint Stripe endpoint, injecting the legitimately obtained, succeeded PaymentIntent ID.
- Due to the Improper Input Validation (CWE-862) in the plugin, the crafted request bypasses intended authorization checks within the plugin's logic.
- The LatePoint plugin's Stripe Connect payment processor accepts and processes the client-supplied PaymentIntent ID as a valid transaction without proper re-validation.
- The website's payment system registers an arbitrary payment amount, effectively defrauding the service or manipulating its financial records using the attacker's supplied PaymentIntent token.
Impact
The primary impact of CVE-2026-5356 is the potential for significant financial fraud against organizations running the vulnerable LatePoint plugin. Unauthenticated attackers can cause arbitrary amounts to be processed, leading to direct monetary loss, fraudulent bookings, and manipulated financial records. This can result in financial discrepancies, chargebacks, reputational damage for businesses, and a loss of trust from customers. The vulnerability affects all versions up to and including 5.4.0, implying a potentially wide scope of affected WordPress installations.
Recommendation
- Patch CVE-2026-5356 by updating the LatePoint - Calendar Booking Plugin for Appointments and Events to a version greater than 5.4.0 immediately.
- Monitor web server access logs for repeated or unusual requests to payment processing endpoints within the LatePoint plugin directory, using
logsource: category: webserver. - Audit financial transaction records and Stripe logs for any unauthorized or anomalous PaymentIntent usages, which could indicate successful exploitation of the vulnerability described in CVE-2026-5356.