The LatePoint plugin for WordPress, versions up to and including 5.3.2, has been identified as vulnerable to an insecure direct object reference (ID CVE-2026-5234) that allows attackers to access and manipulate sensitive financial data. This flaw was reported on April 17 2026 at 5:16 a.m. by the CVE feed (News Source).
What We Know
The vulnerability arises from the OsStripeConnectController::create_payment_intent_for_transaction action, which is registered as a public endpoint with no authentication. It loads invoices by sequential integer invoice_id without any access_key or ownership verification. In contrast, other invoice-related actions in OsInvoicesController require cryptographic UUID access keys, ensuring proper authorization. Consequently, unauthenticated attackers can enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records that contain sensitive financial data—invoice_id, order_id, customer_id, charge_amount—and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice. The severity is rated as Medium (5.3) (CVSS details are available at the link).
Business Impact
Small-to-medium businesses that use WordPress with the LatePoint plugin to manage bookings or payments—especially those integrated with Stripe Connect—are directly exposed. Attackers can obtain customer identifiers, order details, and monetary amounts without authorization. This leads to:
- Revenue loss: unauthorized charges could be recorded, affecting financial reporting.
- Data exposure: sensitive personal information (customer IDs) becomes publicly accessible, potentially violating privacy regulations like GDPR or HIPAA.
- Operational disruption: mis-configured payment intents may lead to failed transactions, customer confusion, and reputational damage.
Enterprise CISOs may also be impacted if their internal sites use the plugin, as a breach could propagate across corporate systems, leading to broader compliance risks.
What To Do
- Immediate Update: If you are using LatePoint 5.3.2 or earlier, upgrade to the latest version (≥ 5.4) where this vulnerability has been patched. The CVE feed provides a list of affected products and release notes.
- Audit Access Controls: Review all public endpoints in your WordPress plugin stack. Ensure that any endpoint handling sensitive data requires proper authentication or access keys.
- Deploy Stripe Connect Configuration Checks: Verify that Stripe Connect is correctly configured, and restrict API exposure to authenticated users only. If you’re using the
create_payment_intent_for_transactionaction, consider disabling it or replacing it with a secure alternative. - Implement Monitoring: Set up logs for invoice access attempts and monitor error messages that may reveal valid invoice IDs. Alert administrators promptly if suspicious patterns emerge.
- Risk Assessment: Conduct a quick security scan (via DefendMyBusiness’s free tool) to identify other vulnerabilities in your WordPress ecosystem.
If immediate upgrade is not feasible, consider temporarily disabling the affected action or implementing a custom wrapper that requires authentication before processing invoice IDs.
The Bigger Picture
This incident underscores the growing threat of insecure direct object references in web applications. Even seemingly innocuous public endpoints can expose sensitive data if not properly secured. Organizations should adopt a proactive security posture—regularly reviewing and patching plugins, enforcing strict access controls, and monitoring for anomalous behaviors.
How We Can Help
DefendMyBusiness partners with 400+ technology providers to help organizations find the right security solutions. If you need a quick assessment of your WordPress environment, use our free security scan tool or contact us at https://defendmybusiness.com/contact.
Sources
