Stored Cross-Site Scripting Vulnerability in LatePoint Plugin for WordPress
CVE-2026-7457

6.4MEDIUM

Key Information:

Vendor: WordPress
Status: Latepoint – Calendar Booking Plugin For Appointments And Events
Vendor: CVE Published:; 6 May 2026

What is CVE-2026-7457?

The LatePoint plugin for WordPress exhibits a vulnerability that allows authenticated attackers to leverage stored cross-site scripting. This weakness stems from inadequate input sanitization during the customer cabinet profile update process, wherein critical POST parameters such as first_name, last_name, phone, and notes can circumvent intended sanitization measures. The lack of overriding sanitization methods in OsCustomerModel leads to unsanitized data being stored directly in the database. Coupled with insufficient output escaping during the generation of notification templates, this vulnerability enables the injection of malicious scripts that could execute in the context of an administrator's or agent's browser when notification templates containing customer-specific variables are previewed.

Affected Version(s)

LatePoint – Calendar Booking Plugin for Appointments and Events 0 <= 5.5.0

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/latepoint/trun...

https://plugins.trac.wordpress.org/browser/latepoint/tags...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 6, 2026
Vulnerability Reserved
Apr 29, 2026

Credit

Niv Kochan

CVE-2026-7457 Data

JSON