CVE-2026-9719 latepoint CVE debrief

Who should care

Users of the LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress, particularly those with versions up to and including 5.6.0, should be aware of this vulnerability. Site administrators are at risk as an attacker could trick them into performing an action such as clicking on a link, leading to potential unauthorized changes to invoice statuses.

Technical summary

The vulnerability is characterized by a CVSS score of 4.3 and a severity rating of MEDIUM. It falls under CWE-352, Cross-Site Request Forgery. The exploit requires no privileges (PR:N), can be launched remotely (AV:N), and involves user interaction (UI:R). The impact is limited to integrity (I:L) with no confidentiality (C:N) or availability (A:N) impact.

Defensive priority

MEDIUM

Recommended defensive actions

• Update the LatePoint – Calendar Booking Plugin for Appointments and Events to a version beyond 5.6.0.
• Implement additional security measures to verify the legitimacy of requests changing invoice statuses.
• Educate site administrators on the risks of clicking on unverified links.

Evidence notes

Evidence of this vulnerability comes from the National Vulnerability Database (NVD) and Wordfence security research. References include specific lines of code from the plugin's Git repository and a detailed vulnerability report from Wordfence.

Official resources