Stored Cross-Site Scripting Vulnerability in LatePoint Calendar Booking Plugin for WordPress
CVE-2026-4785

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Latepoint – Calendar Booking Plugin For Appointments And Events
Vendor: CVE Published:; 8 April 2026

What is CVE-2026-4785?

The LatePoint Calendar Booking Plugin for Appointments and Events for WordPress has a vulnerability that allows authenticated users with contributor-level access or higher to perform Stored Cross-Site Scripting attacks. Malicious actors can exploit the insufficient output escaping in the 'button_caption' parameter of the [latepoint_resources] shortcode when the 'items' parameter is set to 'bundles'. This vulnerability can lead to the injection of arbitrary web scripts into pages, which will execute on browsers of unsuspecting users who access the compromised content, potentially compromising site integrity and user data.

Affected Version(s)

LatePoint – Calendar Booking Plugin for Appointments and Events 0 <= 5.3.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/latepoint/trun...

https://plugins.trac.wordpress.org/browser/latepoint/tags...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 8, 2026
Vulnerability Reserved
Mar 24, 2026

Credit

Djaidja Moundjid

CVE-2026-4785 Data

JSON