← back to popular plugins
wordfence / plugin · latepoint

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint
total installs
100,000
total vulns
23
critical
1
high
8
medium
14
low
0
latest vuln
patched
23
unpatched
0
avg time to patch
vulnerabilities (23)
LatePoint <= 5.3.2 - Cross-Site Request Forgery via 'customer_cabinet__request_cancellation' AJAX Route
medium ✓ patched
cve id CVE-2026-5365 ↗
cvss score 4.3
cwe CWE-352: Cross-Site Request Forgery (CSRF)
published May 13, 2026
The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request_cancellation() function. This makes it possible for unauthenticated attackers to cancel a logged-in customer's bookings via a forged request, granted they can trick the customer into performing an action such as clicking on a link.
LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism
medium ✓ patched
cve id CVE-2026-7652 ↗
cvss score 5.3
cwe CWE-640: Weak Password Recovery Mechanism for Forgotten Password
published May 8, 2026
The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow's ability to overwrite an existing customer's email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected.
LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting
high ✓ patched
cve id CVE-2026-7448 ↗
cvss score 7.2
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published May 6, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'booking_form_page_url' Parameter
high ✓ patched
cve id CVE-2026-7332 ↗
cvss score 7.2
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published May 5, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.
LatePoint <= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update
medium ✓ patched
cve id CVE-2026-7457 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published May 5, 2026
The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database — combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator's or agent's browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed.
LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'first_name' Parameter
high ✓ patched
cve id CVE-2026-7448 ↗
cvss score 7.2
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published May 5, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'first_name' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
LatePoint <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability
high ✓ patched
cve id CVE-2026-6741 ↗
cvss score 8.8
cwe CWE-269: Improper Privilege Management
published Apr 27, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.
LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID
medium ✓ patched
cve id CVE-2026-5234 ↗
cvss score 5.3
cwe CWE-639: Authorization Bypass Through User-Controlled Key
published Apr 16, 2026
The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no authentication required) and loads invoices by sequential integer invoice_id without any access_key or ownership verification. This is in contrast to other invoice-related actions (view_by_key, payment_form, summary_before_payment) in OsInvoicesController which properly require a cryptographic UUID access_key. This makes it possible for unauthenticated attackers to enumerate valid invoice IDs via an error message oracle, create unauthorized transaction intent records in the database containing sensitive financial data (invoice_id, order_id, customer_id, charge_amount), and on sites with Stripe Connect configured, the response also leaks Stripe payment_intent_client_secret tokens, transaction_intent_key values, and payment amounts for any invoice.
LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
medium ✓ patched
cve id CVE-2026-4785 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Apr 7, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the 'items' parameter is set to 'bundles'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Authenticated (Subscriber+) Insecure Direct Object Reference
medium ✓ patched
cve id CVE-2026-32533 ↗
cvss score 4.3
cwe CWE-639: Authorization Bypass Through User-Controlled Key
published Mar 23, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.2.6 due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Subscriber-level access and above, to perform unauthorized actions.
LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2026-2324 ↗
cvss score 6.1
cwe CWE-352: Cross-Site Request Forgery (CSRF)
published Mar 10, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.
LatePoint <= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import
medium ✓ patched
cve id CVE-2026-1487 ↗
cvss score 6.5
cwe CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
published Mar 2, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insufficient validation on the user-supplied JSON data. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary SQL queries on the database that can be used to extract information via time-based techniques, drop tables, or modify data.
LatePoint <= 5.2.7 - Authenticated (Agent+) Privilege Escalation
high ✓ patched
cve id CVE-2026-1566 ↗
cvss score 8.8
cwe CWE-269: Improper Privilege Management
published Mar 2, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the 'wordpress_user_id' field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password.
LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Cross-Site Request Forgery
medium ✓ patched
cve id CVE-2025-14873 ↗
cvss score 4.3
cwe CWE-352: Cross-Site Request Forgery (CSRF)
published Feb 13, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to the 'call_by_route_name' function in the routing layer only validating user capabilities without enforcing nonce verification. This makes it possible for unauthenticated attackers to perform multiple administrative actions via forged requests granted they can trick a site administrator into performing an action such as clicking on a link.
LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Missing Authorization to Booking Details Exposure
medium ✓ patched
cve id CVE-2026-1537 ↗
cvss score 5.3
cwe CWE-862: Missing Authorization
published Feb 11, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to view booking information including customer names, email addresses, phone numbers, appointment times, and service details.
LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Unauthenticated Stored Cross-Site Scripting
high ✓ patched
cve id CVE-2026-0617 ↗
cvss score 7.2
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Feb 2, 2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history.
LatePoint <= 5.1.94 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
medium ✓ patched
cve id CVE-2025-6941 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Sep 29, 2025
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'latepoint_resources' shortcode in all versions up to, and including, 5.1.94 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
LatePoint <= 5.1.94 - Cross-Site Request Forgery to Account Takeover via change_password() Function
high ✓ patched
cve id CVE-2025-7052 ↗
cvss score 8.8
cwe CWE-352: Cross-Site Request Forgery (CSRF)
published Sep 29, 2025
The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.94. This is due to missing nonce validation on the change_password() function of its customer_cabinet__change_password AJAX route. The plugin hooks this endpoint via wp_ajax and wp_ajax_nopriv but does not verify a nonce or user capability before resetting the user’s password. This makes it possible for unauthenticated attackers who trick a logged-in customer (or, with “WP users as customers” enabled, an administrator) into visiting a malicious link to take over their account.
LatePoint <= 5.1.94 - Unauthenticated Authentication Bypass via load_step Function
high ✓ patched
cve id CVE-2025-7038 ↗
cvss score 8.2
cwe CWE-288: Authentication Bypass Using an Alternate Path or Channel
published Sep 29, 2025
The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied customer email and related customer fields before invoking the internal login handler without verifying login status, capability checks, or a valid AJAX nonce. This makes it possible for unauthenticated attackers to log into any customer’s account.
LatePoint <= 5.1.94 - Authenticated (Administrator+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-6815 ↗
cvss score 5.5
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Sep 29, 2025
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘service[name]’ parameter in all versions up to, and including, 5.1.94 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
LatePoint <= 5.1.93 - Unauthenticated Local File Inclusion
critical ✓ patched
cve id CVE-2025-6715 ↗
cvss score 9.8
cwe CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')
published Jul 23, 2025
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 5.1.93 via the 'layout' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary .php files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where .php file types can be uploaded and included.
Latepoint <= 5.1.92 - Unauthenticated Insecure Direct Object Reference
medium ✓ patched
cve id CVE-2025-3769 ↗
cvss score 5.3
cwe CWE-639: Authorization Bypass Through User-Controlled Key
published May 13, 2025
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.1.92 via the 'view_booking_summary_in_lightbox' due to missing validation on a user controlled key. This makes it possible for unauthenticated attackers to retrieve appointment details such as customer names and email addresses.
LatePoint <= 5.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting
medium ✓ patched
cve id CVE-2025-30836 ↗
cvss score 6.4
cwe CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
published Mar 27, 2025
The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.1.6 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.