MEDIUM 4.3

CVE-2026-9719: LatePoint CSRF Invoice Status Manipulation Vulnerability

The LatePoint WordPress plugin, which handles calendar booking and appointment scheduling, contains a security flaw that allows attackers to manipulate invoice statuses without proper authorization. An attacker can craft a malicious link or webpage and, if they trick a WordPress administrator into clicking it, change the status of any invoice—including fraudulently marking unpaid invoices as paid. This works because the plugin fails to properly validate requests before processing status changes.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Weaknesses (CWE)
CWE-352
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.6.0. This is due to missing or incorrect nonce validation on the change_status function. This makes it possible for unauthenticated attackers to change the status of arbitrary invoices — including marking unpaid invoices as paid — without administrator consent via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-9719 is a Cross-Site Request Forgery (CSRF) vulnerability in LatePoint versions up to and including 5.6.0. The vulnerability exists in the change_status function due to missing or incorrect nonce validation. Nonces are security tokens that WordPress uses to verify that requests originate from legitimate administrative actions; without them, any cross-origin request can trigger the status change. The CVSS 3.1 score of 4.3 (MEDIUM) reflects the requirement for social engineering (tricking an admin to click a link) combined with the integrity impact of invoice manipulation.

Business impact

This vulnerability directly affects financial record integrity. Attackers can mark unpaid invoices as paid without legitimate payment, creating accounting discrepancies and potential revenue loss. For appointment-based businesses relying on LatePoint for billing, this could lead to missed income recognition, customer billing disputes, and audit complications. The requirement to social-engineer an administrator limits the attack surface compared to unauthenticated direct access, but a single compromised click can affect multiple financial records.

Affected systems

All versions of the LatePoint – Calendar Booking Plugin for Appointments and Events up to and including version 5.6.0 are affected. Any WordPress site using this plugin in a version at or below 5.6.0 is vulnerable. The plugin is commonly installed on service-based WordPress sites—salons, consultancies, medical practices, tutoring services—where appointment scheduling and invoice generation are critical.

Exploitability

The vulnerability requires user interaction: an administrator must be tricked into clicking a malicious link or visiting an attacker-controlled page while logged into WordPress. This is a moderate barrier that relies on social engineering rather than autonomous exploitation. However, once the click occurs, the attacker can change invoice statuses without additional authentication. The ease of constructing a CSRF payload makes this straightforward for an attacker with basic web skills. The vulnerability is not present in the CISA Known Exploited Vulnerabilities (KEV) catalog as of the available data.

Remediation

Immediately update the LatePoint plugin to a version newer than 5.6.0 that includes nonce validation fixes. WordPress administrators should check their plugin version and apply the patch as soon as available. For organizations unable to patch immediately, restrict administrative access to trusted networks, enforce strong administrator authentication, and educate administrators about phishing and malicious link risks. Consider disabling the plugin if no patched version is available and a workaround is impractical.

Patch guidance

Update LatePoint to a version newer than 5.6.0. Verify the patch version against the official LatePoint vendor advisory or the WordPress plugin repository to confirm that nonce validation has been implemented for the change_status function. Test the patch in a staging environment before deploying to production, ensuring that legitimate status changes still function and that cross-origin requests are properly rejected.

Detection guidance

Monitor WordPress administrator activity logs for unusual invoice status changes, particularly those occurring shortly after suspicious login activity or from unexpected IP addresses. Review web server access logs for CSRF-pattern requests: cross-origin POST requests to the change_status endpoint lacking proper nonce parameters. Implement logging on the change_status function if possible to record which user (or session) initiated each status change and from which referrer. Security plugins that monitor CSRF attempts may also flag these patterns.

Why prioritize this

While this vulnerability carries a MEDIUM CVSS score, it threatens financial data integrity and should not be deprioritized simply due to the social engineering requirement. Any organization using LatePoint for billing should treat this as a near-term remediation target. The simplicity of the attack method and the potential for cascading accounting problems justify swift action, even though the risk is lower than unauth unauthenticated remote code execution vulnerabilities.

Risk score, explained

The CVSS 3.1 score of 4.3 reflects a network-accessible vulnerability (AV:N) with low attack complexity (AC:L), no privilege requirement (PR:N), but a critical user interaction requirement (UI:R). The impact is limited to integrity (I:L) with no confidentiality or availability loss. The score appropriately penalizes the social engineering barrier while acknowledging that invoice manipulation represents a real and damaging integrity breach once the attack succeeds.

Frequently asked questions

Could an attacker change invoice statuses without tricking an administrator?

No. CSRF attacks inherently require user interaction because they rely on the target's browser session to carry the authenticated request. An attacker cannot trigger the change_status function directly; the administrator's logged-in browser must make the request. This is why the attack requires social engineering (a phishing link, for example) to succeed.

What should I do if I've already been patched but am unsure if my version is correct?

Check your WordPress dashboard under Plugins > Installed Plugins and verify the LatePoint version number. Cross-reference this against the official LatePoint changelog or vendor advisory to confirm that your version includes the nonce validation fix. If you are unsure, update to the latest available version and re-verify.

If I disable the plugin, will my appointment data be lost?

Disabling a plugin does not automatically delete its data from your WordPress database. However, your calendar booking and appointment functions will stop working. Always back up your WordPress database before disabling or removing any plugin. If you need to pause the plugin temporarily while awaiting a patch, disabling it is safer than leaving it vulnerable, but you should re-enable it as soon as a patched version is available.

Can my WordPress security plugin prevent this attack?

A well-configured WordPress security plugin may help by blocking suspicious cross-origin requests or monitoring for CSRF patterns. However, the fundamental defense is the nonce validation in the plugin itself. Security plugins are a supplementary layer, not a replacement for patching the vulnerability. Update your plugin first; use security plugins as defense-in-depth.

This analysis is provided for informational purposes by SEC.co and should not be considered legal or compliance advice. CVSS scores, affected versions, and patch information are based on publicly available source data as of the publication date. Organizations should verify vendor advisories and patch availability directly with LatePoint and WordPress before making remediation decisions. SEC.co does not guarantee the timeliness or accuracy of vulnerability disclosures and recommends independent security assessment for mission-critical systems. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).