ByteOS Network

NVD Vulnerability Details :

CVE-2026-5365

Deferred

Source-security@wordfence.com

Published At-14 May, 2026 | 07:16

Updated At-14 May, 2026 | 14:28

The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request_cancellation() function. This makes it possible for unauthenticated attackers to cancel a logged-in customer's bookings via a forged request, granted they can trick the customer into performing an action such as clicking on a link.

Date Added	Due Date	Vulnerability Name	Required Action
	N/A

Metrics

Type	Version	Base score	Base severity	Vector
Primary	3.1	4.3	MEDIUM	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Type: Primary

Version: 3.1

Base score: 4.3

Base severity: MEDIUM

Vector:

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

Weaknesses

CWE ID	Type	Source
CWE-352	Primary	security@wordfence.com

CWE ID: CWE-352

Type: Primary

Source: security@wordfence.com

References

Hyperlink	Source	Resource
https://plugins.trac.wordpress.org/changeset/3505127/latepoint/tags/5.4.0/lib/controllers/customer_cabinet_controller.php	security@wordfence.com	N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/6a9285fb-fc4e-4ea4-89d5-f376f03c54a4?source=cve	security@wordfence.com	N/A

Hyperlink: https://plugins.trac.wordpress.org/changeset/3505127/latepoint/tags/5.4.0/lib/controllers/customer_cabinet_controller.php

Source: security@wordfence.com

Resource: N/A

Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/6a9285fb-fc4e-4ea4-89d5-f376f03c54a4?source=cve

Source: security@wordfence.com

Resource: N/A

CISA Catalog

Metrics

CPE Matches

Weaknesses

Evaluator Description

Evaluator Impact

Evaluator Solution

Vendor Statements

References

Change History