{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/latepoint/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-5356"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["LatePoint – Calendar Booking Plugin for Appointments and Events (\u003c= 5.4.0)"],"_cs_severities":["high"],"_cs_tags":["wordpress","plugin","vulnerability","webserver","cve"],"_cs_type":"advisory","_cs_vendors":["LatePoint","WordPress"],"content_html":"\u003cp\u003eThe LatePoint - Calendar Booking Plugin for Appointments and Events for WordPress, version 5.4.0 and earlier, contains a critical Improper Input Validation vulnerability (CVE-2026-5356). Discovered and published on July 8, 2026, this flaw allows unauthenticated attackers to exploit the plugin's Stripe Connect payment processor. By supplying a previously succeeded PaymentIntent ID from any legitimate Stripe transaction, attackers can effectively bypass authorization checks and force the system to process an arbitrary payment. This vulnerability is due to the plugin accepting client-supplied PaymentIntent IDs without sufficient re-validation, posing a significant risk of financial fraud and impacting the integrity of transactions for organizations utilizing the affected plugin versions.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a WordPress website utilizing the LatePoint - Calendar Booking Plugin for Appointments and Events, specifically versions up to and including 5.4.0.\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the specific endpoint for the plugin's Stripe Connect payment processor that handles PaymentIntent IDs.\u003c/li\u003e\n\u003cli\u003eThe attacker performs a legitimate, small-value transaction using Stripe (or obtains a PaymentIntent ID from a different source) to acquire a previously succeeded PaymentIntent ID.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the vulnerable LatePoint Stripe endpoint, injecting the legitimately obtained, succeeded PaymentIntent ID.\u003c/li\u003e\n\u003cli\u003eDue to the Improper Input Validation (CWE-862) in the plugin, the crafted request bypasses intended authorization checks within the plugin's logic.\u003c/li\u003e\n\u003cli\u003eThe LatePoint plugin's Stripe Connect payment processor accepts and processes the client-supplied PaymentIntent ID as a valid transaction without proper re-validation.\u003c/li\u003e\n\u003cli\u003eThe website's payment system registers an arbitrary payment amount, effectively defrauding the service or manipulating its financial records using the attacker's supplied PaymentIntent token.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe primary impact of CVE-2026-5356 is the potential for significant financial fraud against organizations running the vulnerable LatePoint plugin. Unauthenticated attackers can cause arbitrary amounts to be processed, leading to direct monetary loss, fraudulent bookings, and manipulated financial records. This can result in financial discrepancies, chargebacks, reputational damage for businesses, and a loss of trust from customers. The vulnerability affects all versions up to and including 5.4.0, implying a potentially wide scope of affected WordPress installations.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-5356 by updating the LatePoint - Calendar Booking Plugin for Appointments and Events to a version greater than 5.4.0 immediately.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for repeated or unusual requests to payment processing endpoints within the LatePoint plugin directory, using \u003ccode\u003elogsource: category: webserver\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAudit financial transaction records and Stripe logs for any unauthorized or anomalous PaymentIntent usages, which could indicate successful exploitation of the vulnerability described in CVE-2026-5356.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T13:20:18Z","date_published":"2026-07-08T13:20:18Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-5356-latepoint-plugin/","summary":"An improper input validation vulnerability (CVE-2026-5356) in the LatePoint - Calendar Booking Plugin for Appointments and Events for WordPress, versions up to and including 5.4.0, allows unauthenticated attackers to exploit its Stripe Connect payment processor by supplying a previously succeeded PaymentIntent ID, resulting in the processing of arbitrary payments.","title":"CVE-2026-5356: LatePoint WordPress Plugin Improper Input Validation Leading to Arbitrary Payments","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-5356-latepoint-plugin/"}],"language":"en","title":"CraftedSignal Threat Feed - LatePoint","version":"https://jsonfeed.org/version/1.1"}