{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-0617", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-05T18:02:14.890Z", "datePublished": "2026-02-03T06:38:02.459Z", "dateUpdated": "2026-04-08T16:41:45.589Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:41:45.589Z"}, "affected": [{"vendor": "latepoint", "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.2.5", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history."}], "title": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Unauthenticated Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22bcfd36-ecf9-4d2c-ac94-94ffa0340c4c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/views/activities/view.php#L27"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/controllers/activities_controller.php"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/models/activity_model.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3449263%40latepoint%2Ftrunk&old=3408660%40latepoint%2Ftrunk&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "baseScore": 7.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Bui Van Y"}], "timeline": [{"time": "2026-01-05T18:18:13.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-02T18:30:30.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-03T15:29:05.622124Z", "id": "CVE-2026-0617", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:30:46.262Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-0617", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-03T15:29:05.622124Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-03T15:29:06.395Z"}}], "cna": {"title": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Unauthenticated Stored Cross-Site Scripting", "credits": [{"lang": "en", "type": "finder", "value": "Bui Van Y"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 7.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "latepoint", "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.2.5"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-05T18:18:13.000+00:00", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-02T18:30:30.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22bcfd36-ecf9-4d2c-ac94-94ffa0340c4c?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/views/activities/view.php#L27"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/controllers/activities_controller.php"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/models/activity_model.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3449263%40latepoint%2Ftrunk&old=3408660%40latepoint%2Ftrunk&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-03T06:38:02.459Z"}}}, "cveMetadata": {"cveId": "CVE-2026-0617", "state": "PUBLISHED", "dateUpdated": "2026-02-03T15:30:46.262Z", "dateReserved": "2026-01-05T18:02:14.890Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-03T06:38:02.459Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history."}, {"lang": "es", "value": "El plugin LatePoint \u2013 Calendar Booking Plugin for Appointments and Events para WordPress es vulnerable a cross-site scripting almacenado a trav\u00e9s de los campos del perfil del cliente en todas las versiones hasta la 5.2.5, inclusive, debido a una sanitizaci\u00f3n de entrada y un escape de salida insuficientes. Esto posibilita que atacantes no autenticados inyecten scripts web arbitrarios en p\u00e1ginas que se ejecutar\u00e1n cada vez que un administrador vea el historial de actividad del cliente."}], "id": "CVE-2026-0617", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-03T07:16:11.390", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/controllers/activities_controller.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/models/activity_model.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/views/activities/view.php#L27"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3449263%40latepoint%2Ftrunk&old=3408660%40latepoint%2Ftrunk&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/22bcfd36-ecf9-4d2c-ac94-94ffa0340c4c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-15T21:30:14.840141+00:00", "value": {"mitigation_remediation": ["Update the LatePoint plugin to the latest released version (5.2.6 or newer).", "If an immediate update is not possible, disable the customer profile fields that accept user input or enforce strict input sanitization for those fields.", "Restrict access to the activity history view to a tightly controlled set of administrator roles and consider enabling additional logging or WAF rules to detect injected scripts."], "summary": {"action": "Immediate Patch", "impact": "Stored Cross\u2011Site Scripting allowing unauthenticated attackers to inject arbitrary scripts that run when an administrator views activity history"}, "threat_synthesis": {"affected_systems": "WordPress sites that use the LatePoint \u2013 Calendar Booking Plugin for Appointments and Events, version\u202f5.2.5 or earlier.", "description_and_impact": "This vulnerability is a stored Cross\u2011Site Scripting flaw that originates from customer profile fields in the LatePoint plugin. Unauthenticated users can insert malicious scripts that are saved and later executed whenever an administrator opens the activity history page. Because the payload runs in the context of the administrator\u2019s session, an attacker could hijack credentials, perform phishing, or execute further attacks against the site.", "risk_and_exploitability": "The CVSS base score of 7.2 classifies it as high severity, yet the EPSS score below 1% suggests a low likelihood of exploitation at present. It is not listed in the CISA KEV catalog. The attack path requires no authentication; any visitor can supply input that will later be rendered for an administrator, making the flaw readily exploitable if the plugin is not patched."}}}}, "created": "2026-02-04T12:14:09.445402+00:00", "updated": "2026-04-15T21:45:14.137356+00:00", "vendors": ["latepoint", "latepoint$PRODUCT$latepoint", "wordpress", "wordpress$PRODUCT$wordpress"]}