SQL Injection Vulnerability in LatePoint Calendar Booking Plugin for WordPress
CVE-2026-1487

6.5MEDIUM

Key Information:

Vendor: WordPress
Status: Latepoint – Calendar Booking Plugin For Appointments And Events
Vendor: CVE Published:; 3 March 2026

What is CVE-2026-1487?

The LatePoint Calendar Booking Plugin for Appointments and Events for WordPress contains an SQL Injection vulnerability through its JSON Import feature. This flaw arises from inadequate validation of user-supplied JSON data, permitting authenticated users with Administrator-level access and higher to execute arbitrary SQL queries. Such attacks can facilitate unauthorized data retrieval, manipulation, including the deletion of tables, and alterations of database entries, thereby posing significant security risks to affected installations.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

LatePoint – Calendar Booking Plugin for Appointments and Events * <= 5.2.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3463945/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Mar 3, 2026
Vulnerability Reserved
Jan 27, 2026

Credit

Chiao-Lin Yu

JSON

WordPress

What is CVE-2026-1487?

Human OS v1.0: Ageing Is an Unpatched Zero-Day Vulnerability.

Affected Version(s)

References

CVSS V3.1

Timeline

Credit

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.