CVE-2026-11866 PUBLISHED

LatePoint < 5.6.3 - Multiple Privileged Actions via CSRF

Assigner: WPScan
Reserved: 10.06.2026 Published: 16.07.2026 Updated: 16.07.2026

The Appointment Booking Plugin WordPress plugin before 5.6.3 does not validate a CSRF nonce on several state-changing actions handled by its central request dispatcher, allowing attackers to perform privileged actions, such as overwriting the booking-form configuration or disconnecting the connected payment gateway, via Cross-Site Request Forgery against a logged-in administrator.

Product Status

Vendor Unknown
Product Appointment Booking Plugin
Versions Default: unaffected
  • affected from 0 to 5.6.3 (excl.)

Credits

  • Meher Sudhakar Abbireddi finder
  • WPScan coordinator

References

Problem Types

  • CWE-352 Cross-Site Request Forgery (CSRF) CWE