Skip to main content

Latepoint

8 CVEs product

Monthly

CVE-2026-57714 CRITICAL Act Now

Blind SQL injection in the LatePoint WordPress appointment-booking plugin (versions up to and including 5.6.3) lets remote unauthenticated attackers inject crafted SQL through improperly neutralized input (CWE-89), enabling extraction of database contents via boolean/time-based inference. Reported by Patchstack and rated CVSS 9.3 with a network vector requiring no privileges or user interaction; the changed scope reflects access to the shared WordPress/MySQL database beyond the plugin's own boundary. No public exploit is identified at time of analysis and it is not listed in CISA KEV.

SQLi Latepoint
NVD
CVSS 3.1
9.3
EPSS
0.4%
CVE-2026-49083 HIGH This Week

Privilege escalation in the LatePoint WordPress plugin versions 5.5.1 and earlier allows authenticated users holding low-privileged contributor accounts to elevate to higher-privileged roles, according to a Patchstack advisory. CVSS 3.1 scores this 7.5 (High) with full confidentiality, integrity, and availability impact, though high attack complexity and required low privileges constrain trivial exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Privilege Escalation Latepoint
NVD
CVSS 3.1
7.5
EPSS
0.3%
CVE-2026-32533 MEDIUM This Month

An authorization bypass vulnerability exists in LatePoint versions up to and including 5.2.6 that allows attackers to exploit incorrectly configured access control security levels through user-controlled key manipulation. This Insecure Direct Object Reference (IDOR) vulnerability enables attackers without proper authentication or authorization to access resources they should not have permission to view or modify. The vulnerability affects the LatePoint WordPress plugin and has been documented by Patchstack with proof-of-concept details available, making it a practical exploitation risk for unpatched installations.

Authentication Bypass Latepoint
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2024-43945 HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Latepoint LatePoint allows Cross Site Request Forgery.9.91. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Latepoint
NVD
CVSS 3.1
8.8
EPSS
0.2%
CVE-2024-8943 CRITICAL POC Act Now

The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Latepoint
NVD
CVSS 3.1
9.8
EPSS
3.0%
CVE-2024-8911 CRITICAL POC Act Now

The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi WordPress Latepoint
NVD
CVSS 3.1
9.8
EPSS
2.8%
CVE-2024-43992 MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Latepoint LatePoint allows Stored XSS.9.91. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Latepoint
NVD
CVSS 3.1
5.4
EPSS
0.2%
CVE-2024-2472 CRITICAL Act Now

The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Latepoint
NVD
CVSS 3.1
9.1
EPSS
1.8%
EPSS 0% CVSS 9.3
CRITICAL Act Now

Blind SQL injection in the LatePoint WordPress appointment-booking plugin (versions up to and including 5.6.3) lets remote unauthenticated attackers inject crafted SQL through improperly neutralized input (CWE-89), enabling extraction of database contents via boolean/time-based inference. Reported by Patchstack and rated CVSS 9.3 with a network vector requiring no privileges or user interaction; the changed scope reflects access to the shared WordPress/MySQL database beyond the plugin's own boundary. No public exploit is identified at time of analysis and it is not listed in CISA KEV.

SQLi Latepoint
NVD
EPSS 0% CVSS 7.5
HIGH This Week

Privilege escalation in the LatePoint WordPress plugin versions 5.5.1 and earlier allows authenticated users holding low-privileged contributor accounts to elevate to higher-privileged roles, according to a Patchstack advisory. CVSS 3.1 scores this 7.5 (High) with full confidentiality, integrity, and availability impact, though high attack complexity and required low privileges constrain trivial exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Privilege Escalation Latepoint
NVD
EPSS 0% CVSS 6.5
MEDIUM This Month

An authorization bypass vulnerability exists in LatePoint versions up to and including 5.2.6 that allows attackers to exploit incorrectly configured access control security levels through user-controlled key manipulation. This Insecure Direct Object Reference (IDOR) vulnerability enables attackers without proper authentication or authorization to access resources they should not have permission to view or modify. The vulnerability affects the LatePoint WordPress plugin and has been documented by Patchstack with proof-of-concept details available, making it a practical exploitation risk for unpatched installations.

Authentication Bypass Latepoint
NVD VulDB
EPSS 0% CVSS 8.8
HIGH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Latepoint LatePoint allows Cross Site Request Forgery.9.91. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Latepoint
NVD
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Latepoint
NVD
EPSS 3% CVSS 9.8
CRITICAL POC Act Now

The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to, and including, 5.0.11. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi WordPress Latepoint
NVD
EPSS 0% CVSS 5.4
MEDIUM This Month

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Latepoint LatePoint allows Stored XSS.9.91. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

XSS Latepoint
NVD
EPSS 2% CVSS 9.1
CRITICAL Act Now

The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the 'start_or_use_session_for_customer' function. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Authentication Bypass WordPress Latepoint
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy