Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
1DescriptionCVE.org
The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint - where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database - combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator's or agent's browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed.
AnalysisAI
Stored cross-site scripting in LatePoint calendar booking plugin for WordPress versions up to 5.5.0 allows authenticated customers to inject malicious scripts via unsanitized profile fields (first name, last name, phone, notes) that execute in administrators' browsers when notification templates are previewed. Exploitation requires customer-level access and admin interaction to preview a notification template, but achieves code execution in a high-privilege context (administrator or agent browser session) with scope change from single user to multiple users.
Technical ContextAI
LatePoint is a WordPress appointment and calendar booking plugin. The vulnerability stems from two combined weaknesses in the plugin's data flow: first, the OsCustomerModel class fails to override the params_to_sanitize() method, causing the set_data() function to store raw POST parameters (first_name, last_name, phone, notes) directly in the database without sanitization; second, the generate_preview() function in the notification template system retrieves these stored values and injects them into HTML via str_replace() without any esc_html() escaping before output. Notification templates use placeholder variables like {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, and {{customer_notes}} that are directly replaced with unsanitized database values. This is a classic stored XSS (CWE-79) vulnerability where untrusted input is persisted and later rendered in a different security context.
RemediationAI
Update LatePoint to a patched version released after the vulnerability disclosure (patch version not specified in provided data; check WordPress plugin repository for latest stable release). The upstream fix involves two mandatory changes: (1) OsCustomerModel must override params_to_sanitize() to explicitly include the vulnerable fields in the sanitization list, ensuring set_data() sanitizes first_name, last_name, phone, and notes before database storage; (2) generate_preview() must apply esc_html() or appropriate escaping function to all customer variable values before injecting them into template HTML output via str_replace(). Until patched, no adequate workaround exists without disabling notification template preview functionality entirely (which impacts admin usability). A temporary compensating control is to restrict customer cabinet access via IP whitelist or require multi-factor authentication for admin/agent accounts; this reduces attack surface but does not eliminate the vulnerability since any authenticated customer can still inject payloads. Additionally, administrators can audit existing customer records for suspicious characters in first_name, last_name, phone, or notes fields via database inspection and remove malicious entries, but this is manual and does not prevent new injections. Detailed patch guidance is available in Wordfence vulnerability report at https://www.wordfence.com/threat-intel/vulnerabilities/id/628b3f53-decd-47ac-a2d1-339ade1e6944.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27544
GHSA-c4v2-4wg6-3r8x