Description
The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database — combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator's or agent's browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed.
Published: 2026-05-06
Score: 6.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LatePoint, a WordPress plugin that manages calendar booking and appointments, contains a stored cross‑site scripting flaw in versions up to 5.5.0. The flaw arises when customer profile information—first name, last name, phone, and notes—are stored without input sanitization and later inserted into notification template previews without HTML escaping. This allows an attacker to inject malicious scripts that execute in the context of any administrator or agent who views a notification preview that includes customer variables such as {{customer_full_name}}. The vulnerability can compromise the confidentiality, integrity, and availability of the administrative interface: an attacker who logs in with a subscriber‑level account can persistently embed scripts that may exfiltrate data, hijack sessions, or modify the user interface. Because the malicious code runs in the victim’s browser, any user who views the affected preview is at risk. Although the impact is limited to the browser context, it can be leveraged for credential theft, phishing, or further lateral movement. The risk level is moderate with a CVSS score of 6.4. No EPSS value is available, and the vulnerability is not listed in the CISA KEV catalog. Attackers must be authenticated with subscriber or higher privileges to trigger the vulnerability, but once the malicious script is inserted into the database it can be activated by any administrator or agent who performs a notification preview. The lack of proper output escaping makes the issue difficult to avoid without applying the vendor’s patch.

Affected Systems

LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress, all releases through and including version 5.5.0. No specific platform variants are listed; the plugin runs on any standard WordPress installation that has not applied an update beyond 5.5.0.

Risk and Exploitability

With a moderate CVSS score of 6.4 the vulnerability poses a tangible threat to site administrators, particularly if the site uses the notification preview feature. Exploitation requires valid authenticated credentials with subscriber or higher role, but once a payload is stored it triggers whenever a notification template referencing customer data is previewed. The absence of an EPSS score or KEV listing suggests current public exploitation activity is unknown, yet the broad availability of the plugin and its common use in booking contexts make the risk non‑negligible.

Generated by OpenCVE AI on May 6, 2026 at 08:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LatePoint to the latest version (5.5.1 or newer) which removes the unsanitized input handling and applies output escaping to notification previews.
  • If an upgrade is not yet possible, restrict the customer cabinet profile update functionality by limiting subscriber‑level access or disabling the feature through a security plugin until the vendor patch is applied.
  • Audit the existing customer data tables for any stored scripts and cleanse or escape any values that were previously saved.

Generated by OpenCVE AI on May 6, 2026 at 08:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 06 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress
Vendors & Products Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress

Wed, 06 May 2026 07:30:00 +0000

Type Values Removed Values Added
Description The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database — combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator's or agent's browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed.
Title LatePoint <= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 6.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N'}

Subscriptions

Latepoint Latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-06T06:47:21.090Z

Reserved: 2026-04-29T17:35:25.264Z

Link: CVE-2026-7457

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-06T08:16:04.360

Modified: 2026-05-06T08:16:04.360

Link: CVE-2026-7457

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-06T09:00:10Z

Weaknesses