MEDIUM
latepoint
CVE published 2026-06-06
CVE-2026-9719
A Cross-Site Request Forgery (CSRF) vulnerability exists in the LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress. This vulnerability affects all versions up to, and including, 5.6.0. The issue arises from missing or incorrect nonce validation on the change_status function, allowing unauthenticated attackers to change the status of arbitrary invoices, including marking u [truncated]