CVE-2026-32533 - Vulnerability Details - OpenCVE

Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LatePoint: from n/a through <= 5.2.6.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00017.

Key SSVC decision points have not yet been added.

Vendors	Products
Latepoint Subscribe	Latepoint Subscribe
Wordpress Subscribe	Wordpress Subscribe

No data.

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Latepoint Subscribe	Latepoint Subscribe
Wordpress Subscribe	Wordpress Subscribe

Advisories

No advisories yet.

Fixes

Solution

No solution given by the vendor.

Workaround

No workaround given by the vendor.

References

Link	Providers
https://patchstack.com/database/Wordpress/Plugin/latepoint/vulnerability/wordpress-latepoint-plugin-5-2-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve

History

Thu, 26 Mar 2026 12:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Latepoint Latepoint latepoint Wordpress Wordpress wordpress
Vendors & Products		Latepoint Latepoint latepoint Wordpress Wordpress wordpress

Wed, 25 Mar 2026 16:45:00 +0000

Type	Values Removed	Values Added
Description		Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LatePoint: from n/a through <= 5.2.6.
Title		WordPress LatePoint plugin <= 5.2.6 - Insecure Direct Object References (IDOR) vulnerability
Weaknesses		CWE-639
References		https://patchstack.com/database/Wordpress/Plugin/latepoint/vulnerability/wordpress-latepoint-plugin-5-2-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve

Projects

Sign in to view the affected projects.

MITRE

Status: PUBLISHED

Assigner: Patchstack

Published: 2026-03-25T16:15:09.898Z

Updated: 2026-03-26T13:19:18.208Z

Reserved: 2026-03-12T11:12:24.776Z

Link: CVE-2026-32533

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-03-25T17:17:06.877

Modified: 2026-03-25T17:17:06.877

Link: CVE-2026-32533

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-26T11:34:57Z

Weaknesses

CWE-639

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32533", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2026-03-12T11:12:24.776Z", "datePublished": "2026-03-25T16:15:09.898Z", "dateUpdated": "2026-03-26T13:19:18.208Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "latepoint", "product": "LatePoint", "vendor": "LatePoint", "versions": [{"changes": [{"at": "5.2.7", "status": "unaffected"}], "lessThanOrEqual": "<= 5.2.6", "status": "affected", "version": "n/a", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "daroo | Patchstack Bug Bounty Program"}], "datePublic": "2026-03-25T17:12:42.492Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.<p>This issue affects LatePoint: from n/a through <= 5.2.6.</p>"}], "value": "Authorization Bypass Through User-Controlled Key vulnerability in LatePoint LatePoint latepoint allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LatePoint: from n/a through <= 5.2.6."}], "impacts": [{"capecId": "CAPEC-180", "descriptions": [{"lang": "en", "value": "Exploiting Incorrectly Configured Access Control Security Levels"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "description": "Authorization Bypass Through User-Controlled Key", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-03-25T16:15:09.898Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/latepoint/vulnerability/wordpress-latepoint-plugin-5-2-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve"}], "title": "WordPress LatePoint plugin <= 5.2.6 - Insecure Direct Object References (IDOR) vulnerability"}, "adp": [{"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-26T13:19:11.094382Z", "id": "CVE-2026-32533", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-26T13:19:18.208Z"}}]}}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.6]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "5.2.7"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "LatePoint", "source": "cna", "vendor": "LatePoint"}, "product": "latepoint", "vendor": "latepoint"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-25T19:15:47.756896+00:00", "value": {"mitigation_remediation": ["Upgrade LatePoint to the latest available version, at least 5.2.7 or newer", "If an immediate update is not possible, restrict access to the plugin\u2019s administrative pages to trusted administrators only", "Verify that role\u2011based access controls are correctly configured and no more permissive privileges exist", "Continuously monitor audit logs for anomalous access patterns to protected resources"], "summary": {"action": "Apply patch", "impact": "Authorization bypass via insecure direct object references"}, "threat_synthesis": {"affected_systems": "The issue affects all installations of the LatePoint plugin for WordPress with versions up to and including 5.2.6. There are no vendor\u2011specified sub\u2011versions; any instance running 5.2.6 or earlier is considered vulnerable.", "description_and_impact": "This vulnerability in the LatePoint WordPress plugin allows an attacker with a user account to bypass authorization controls by manipulating user\u2011controlled keys. The flaw results from incorrectly configured access control security levels, enabling an attacker to access objects they should not be able to. The primary impact is the potential compromise of protected content or functions belonging to other users.", "risk_and_exploitability": "The CVSS score is not provided in the available data. The EPSS score is unavailable and the vulnerability is not listed in CISA\u2019s KEV catalogue, suggesting it is not yet actively exploited. However, the attack vector is inferred to be remote, originating from the web interface, because the flaw involves direct manipulation of request parameters. The lack of defensive controls in earlier releases increases the likelihood that the vulnerability could be abused if an attacker can guess or enumerate object identifiers."}}}}, "created": "2026-03-25T21:47:07.419203+00:00", "updated": "2026-03-26T11:34:57.921158+00:00", "vendors": ["latepoint", "latepoint$PRODUCT$latepoint", "wordpress", "wordpress$PRODUCT$wordpress"]}