The vulnerability is a stored XSS that occurs through the button_caption parameter of the [latepoint_resources] shortcode when the items argument is set to bundles. It is present in LatePoint plugin versions up to and including 5.3.0. An attacker with contributor level or higher can inject malformed script payloads that are written to the post content and later rendered by the plugin. When a user visits a page containing the malicious shortcode, the injected script executes in that user’s browser, potentially facilitating session hijacking, data theft, defacement or malware delivery. This flaw is categorized as CWE‑79.

The affected product is the LatePoint – Calendar Booking Plugin for Appointments and Events, a WordPress plugin. Versions 5.3.0 and older are vulnerable.

The CVSS score of 6.4 indicates moderate severity. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, suggesting it is not widely exploited yet. Exploitation requires an authenticated user with contributor role or higher; the attacker must be able to submit content containing the shortcode. Because the injected script runs for any site visitor that loads the affected page, the impact can be wide‑ranging, affecting confidentiality, integrity and availability of the site and its users. The attack vector is therefore an authenticated content injection attack that results in client‑side code execution.