Skip to main content

LatePoint EUVDEUVD-2026-27540

| CVE-2026-7332 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-05-06 Wordfence GHSA-97wr-3wr5-r6wx
7.2
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 06, 2026 - 07:46 vuln.today

DescriptionCVE.org

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.

AnalysisAI

Stored cross-site scripting (XSS) in LatePoint WordPress booking plugin (versions ≤5.5.0) allows unauthenticated attackers to inject malicious scripts via the 'booking_form_page_url' parameter that execute when administrators view activity logs. The vulnerability exploits a design flaw where the latepoint_order_intent_created action hook writes unsanitized input to the database before Stripe Connect validation occurs, meaning no functional payment integration is required for exploitation. Wordfence reported this issue with source code references demonstrating the flawed input handling in activities_controller.php and activities_helper.php. CVSS 7.2 with scope change (S:C) reflects potential for attackers to pivot from stored XSS to administrative session hijacking.

Technical ContextAI

This vulnerability exists in the LatePoint Calendar Booking Plugin for WordPress (CPE: cpe:2.3:a:latepoint:latepoint_-_calendar_booking_plugin_for_appointments_and_events), a scheduling and appointment management system. The flaw is rooted in CWE-79 (Improper Neutralization of Input During Web Page Generation). The plugin's Stripe integration flow triggers the latepoint_order_intent_created action hook before validating Stripe Connect account credentials. The activities_controller.php (line 214) and activities_helper.php (line 83) process the booking_form_page_url parameter without sanitization, writing attacker-controlled data directly to WordPress database tables as activity log entries. When administrators later view these logs through the plugin's admin interface, the unsanitized script executes in their browser context. The premature hook execution means the attack surface exists even on installations where Stripe payments are unconfigured or non-functional, significantly broadening exposure beyond typical payment gateway vulnerabilities.

RemediationAI

Upgrade to LatePoint version 5.5.1 or later, which implements input sanitization for the booking_form_page_url parameter based on changeset 3522933 visible at https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522933%40latepoint%2Ftrunk&old=3516282%40latepoint%2Ftrunk&sfp_email=&sfph_mail=. If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block requests containing script tags or JavaScript event handlers in the booking_form_page_url parameter, though this may break legitimate bookings with complex referrer URLs. Alternatively, restrict WordPress admin dashboard access to trusted IP addresses via .htaccess or firewall rules, reducing the attack surface for stored XSS execution, but this will impair remote administration capabilities. Review activity logs in the LatePoint admin interface for suspicious entries containing script tags, JavaScript protocols (javascript:), or HTML event handlers (onload, onerror) and manually purge malicious records from the database via phpMyAdmin or WP-CLI, noting this requires technical expertise and database backup before modification.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

EUVD-2026-27540 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy