Severity by source
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Remote unauthenticated blind SQLi over the network (AV:N/AC:L/PR:N/UI:N); scope change to the shared DB and high confidentiality read, with no integrity and only low availability impact.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L
Lifecycle Timeline
2DescriptionCVE.org
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in LatePoint LatePoint latepoint allows Blind SQL Injection.This issue affects LatePoint: from n/a through <= 5.6.3.
AnalysisAI
Blind SQL injection in the LatePoint WordPress appointment-booking plugin (versions up to and including 5.6.3) lets remote unauthenticated attackers inject crafted SQL through improperly neutralized input (CWE-89), enabling extraction of database contents via boolean/time-based inference. Reported by Patchstack and rated CVSS 9.3 with a network vector requiring no privileges or user interaction; the changed scope reflects access to the shared WordPress/MySQL database beyond the plugin's own boundary. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | No special conditions - remote unauthenticated exploitation is possible against default configurations of the LatePoint plugin, per the CVSS vector AV:N/AC:L/PR:N/UI:N. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) describes a high-priority, remotely reachable, unauthenticated, low-complexity flaw, and the 9.3 score is elevated by S:C (scope change) reflecting access to the broader database. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker locates a WordPress site running LatePoint and sends crafted parameters to a vulnerable booking or AJAX endpoint, embedding SQL that the plugin passes to the database without sanitization. Using boolean or time-based blind techniques (e.g., conditional delays), the attacker iteratively infers and extracts sensitive data such as administrator password hashes from wp_users or customer PII from booking tables. … |
| Remediation | Upgrade LatePoint to a release newer than 5.6.3 as published by the vendor; the input data does not specify an exact fixed version, so consult the Patchstack advisory (https://patchstack.com/database/Wordpress/Plugin/latepoint/vulnerability/wordpress-latepoint-plugin-5-6-3-sql-injection-vulnerability) and the LatePoint changelog for the first patched build and update immediately - patch available per vendor advisory, but a specific fixed version is not independently confirmed from the provided data. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours, audit all WordPress installations to identify LatePoint plugin presence and document version numbers (vulnerable: versions 5.6.3 and earlier); simultaneously create full backups of WordPress and MySQL databases to enable rapid recovery if breach is detected. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. Rate
The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to,
The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a
Cross-Site Request Forgery (CSRF) vulnerability in Latepoint LatePoint allows Cross Site Request Forgery.9.91. Rated hig
Privilege escalation in the LatePoint WordPress plugin versions 5.5.1 and earlier allows authenticated users holding low
An authorization bypass vulnerability exists in LatePoint versions up to and including 5.2.6 that allows attackers to ex
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Latepoint L
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43369