Description
Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.
Published: 2026-06-29
Score: 7.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability arises from missing HttpOnly and Secure attributes on the pinpointJwt session cookie. This defect, classified as CWE-614, allows the cookie to be read via client‑side JavaScript through document.cookie and transmitted in clear text over HTTP. When combined with existing stored or reflected cross‑site scripting attacks—CWE-1004—an attacker can exfiltrate or hijack valid session tokens, enabling unauthorized access to the Pinpoint Booking System.

Affected Systems

Pinpoint APM, delivered through the Pinpoint Booking System WordPress plugin, is affected. Versions up to 3.1.0 contain the flaw. The system operates within WordPress environments and is identified by the relevant CPE string, meaning any deployment using the pinpoint-apm:pinpoint plugin is vulnerable unless mitigated.

Risk and Exploitability

With a CVSS base score of 7.6, the flaw is rated high. Although EPSS data is not available, the combination of missing cookie flags and common XSS vectors creates a realistic exploitation scenario. The vulnerability is not listed in CISA's KEV catalog. The likely attack path is the exploitation of a stored or reflected XSS vulnerability to read the pinpointJwt cookie, or the passive sniffing of clear‑text traffic over non‑HTTPS connections to capture the session identifier, ultimately allowing session hijacking and compromise of the application.

Generated by OpenCVE AI on June 29, 2026 at 19:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Pinpoint to a version newer than 3.1.0 to receive the fixed cookie attribute implementation.
  • If an upgrade is not immediately feasible, configure the application or web server to set HttpOnly and Secure flags on the pinpointJwt cookie through a security configuration or middleware, ensuring the cookie is inaccessible from JavaScript and only sent over HTTPS.
  • Remediate any stored or reflected cross‑site scripting vulnerabilities by implementing strict input validation and output encoding, applying content‑security‑policy headers, and following best practices associated with CWE-1004 and CWE-614.

Generated by OpenCVE AI on June 29, 2026 at 19:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Jun 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Pinpoint-apm
Pinpoint-apm pinpoint
CPEs cpe:2.3:a:pinpoint:pinpoint_booking_system:*:*:*:*:*:wordpress:*:* cpe:2.3:a:pinpoint-apm:pinpoint:*:*:*:*:*:*:*:*
Vendors & Products Pinpoint
Pinpoint pinpoint Booking System
Pinpoint-apm
Pinpoint-apm pinpoint

Mon, 29 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Description Pinpoint through version 3.1.0 contains an insecure session management vulnerability that allows attackers to access the pinpointJwt session cookie due to missing HttpOnly and Secure attributes, enabling JavaScript access via document.cookie and cleartext transmission over HTTP. Attackers can exploit stored or reflected cross-site scripting vulnerabilities to exfiltrate the session token or intercept it through network sniffing to perform session hijacking.
Title Pinpoint - Insecure Session Cookie Attributes in pinpointJwt
First Time appeared Pinpoint
Pinpoint pinpoint Booking System
Weaknesses CWE-1004
CWE-614
CPEs cpe:2.3:a:pinpoint:pinpoint_booking_system:*:*:*:*:*:wordpress:*:*
Vendors & Products Pinpoint
Pinpoint pinpoint Booking System
References
Metrics cvssV3_1

{'score': 6.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 7.6, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Pinpoint-apm Pinpoint
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-30T13:58:23.552Z

Reserved: 2026-06-26T13:57:16.356Z

Link: CVE-2026-57948

cve-icon Vulnrichment

Updated: 2026-06-30T13:57:54.897Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T20:00:03Z

Weaknesses
  • CWE-1004

    Sensitive Cookie Without 'HttpOnly' Flag

  • CWE-614

    Sensitive Cookie in HTTPS Session Without 'Secure' Attribute