Description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Published: 2026-03-11
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Request Forgery leading to Stored XSS
Action: Patch immediately
AI Analysis

Impact

The LatePoint – Calendar Booking Plugin for Appointments and Events contains a Cross‑Site Request Forgery (CSRF) flaw in its reload_preview() function due to missing or incorrect nonce validation. An unauthenticated attacker can forge a request that updates booking form settings and injects malicious JavaScript, which is then stored in the database. When an administrator or authenticated user later views the updated settings, the injected script executes, creating a stored Cross‑Site Scripting (XSS) vulnerability. This can compromise the confidentiality, integrity, and availability of the site by allowing execution of arbitrary code within the administrative context.

Affected Systems

All releases of the LatePoint – Calendar Booking Plugin for Appointments and Events with a version number of 5.2.7 or earlier are affected. The vendor responsible is latepoint. No further version ranges are specified beyond the stated upper bound.

Risk and Exploitability

The CVSS score of 6.1 indicates a medium severity vulnerability. The EPSS score of less than 1% suggests a low overall exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to convince a site administrator to click a forged link or otherwise submit the crafted request, a form of social engineering that is common but not guaranteed.

Generated by OpenCVE AI on March 17, 2026 at 16:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the LatePoint plugin to any version newer than 5.2.7, as newer releases are not vulnerable.
  • If an upgrade cannot be performed immediately, restrict access to the booking form settings page so that only authenticated administrators can view or modify settings.
  • Monitor administrative logs for unexpected changes to booking form settings or the presence of injected scripts, and remove any suspicious entries promptly.

Generated by OpenCVE AI on March 17, 2026 at 16:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 11 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress
Vendors & Products Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress

Wed, 11 Mar 2026 02:00:00 +0000

Type Values Removed Values Added
Description The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
Title LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting
Weaknesses CWE-352
References
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Latepoint Latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-03-11T15:39:47.543Z

Reserved: 2026-02-10T23:23:38.273Z

Link: CVE-2026-2324

cve-icon Vulnrichment

Updated: 2026-03-11T15:39:40.272Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-11T02:16:03.673

Modified: 2026-03-11T13:52:47.683

Link: CVE-2026-2324

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:38:22Z

Weaknesses