{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2324", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-10T23:23:38.273Z", "datePublished": "2026-03-11T01:22:04.469Z", "dateUpdated": "2026-04-08T17:16:43.909Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:16:43.909Z"}, "affected": [{"vendor": "latepoint", "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.2.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3ae93da-57ee-4966-83af-b8c57f9ad7d9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3463945/latepoint"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lukasz Sobanski"}], "timeline": [{"time": "2026-02-10T23:39:18.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-10T11:29:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2324", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T15:38:28.401773Z"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:39:47.543Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2324", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-10T23:23:38.273Z", "datePublished": "2026-03-11T01:22:04.469Z", "dateUpdated": "2026-03-11T15:39:47.543Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-03-11T01:22:04.469Z"}, "affected": [{"vendor": "latepoint", "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "versions": [{"version": "*", "status": "affected", "lessThanOrEqual": "5.2.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}], "title": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3ae93da-57ee-4966-83af-b8c57f9ad7d9?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3463945/latepoint"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-352 Cross-Site Request Forgery (CSRF)", "cweId": "CWE-352", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Lukasz Sobanski"}], "timeline": [{"time": "2026-02-10T23:39:18.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-03-10T11:29:15.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2324", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T15:38:28.401773Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-11T15:39:40.272Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link."}, {"lang": "es", "value": "El plugin LatePoint \u2013 Calendar Booking Plugin for Appointments and Events para WordPress es vulnerable a falsificaci\u00f3n de petici\u00f3n en sitios cruzados en todas las versiones hasta la 5.2.7, inclusive. Esto se debe a una validaci\u00f3n de nonce faltante o incorrecta en la funci\u00f3n reload_preview(). Esto hace posible que atacantes no autenticados actualicen la configuraci\u00f3n e inyecten scripts web maliciosos a trav\u00e9s de una petici\u00f3n falsificada, siempre que puedan enga\u00f1ar a un administrador del sitio para que realice una acci\u00f3n como hacer clic en un enlace."}], "id": "CVE-2026-2324", "lastModified": "2026-04-22T21:27:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.1, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-11T02:16:03.673", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3463945/latepoint"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b3ae93da-57ee-4966-83af-b8c57f9ad7d9?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.2.7]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "source": "cna", "vendor": "latepoint"}, "product": "latepoint_\u2013_calendar_booking_plugin_for_appointments_and_events", "vendor": "latepoint"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-17T16:08:21.325620+00:00", "value": {"mitigation_remediation": ["Update the LatePoint plugin to any version newer than 5.2.7, as newer releases are not vulnerable.", "If an upgrade cannot be performed immediately, restrict access to the booking form settings page so that only authenticated administrators can view or modify settings.", "Monitor administrative logs for unexpected changes to booking form settings or the presence of injected scripts, and remove any suspicious entries promptly."], "summary": {"action": "Patch immediately", "impact": "Cross\u2011Site Request Forgery leading to Stored XSS"}, "threat_synthesis": {"affected_systems": "All releases of the LatePoint \u2013 Calendar Booking Plugin for Appointments and Events with a version number of 5.2.7 or earlier are affected. The vendor responsible is latepoint. No further version ranges are specified beyond the stated upper bound.", "description_and_impact": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events contains a Cross\u2011Site Request Forgery (CSRF) flaw in its reload_preview() function due to missing or incorrect nonce validation. An unauthenticated attacker can forge a request that updates booking form settings and injects malicious JavaScript, which is then stored in the database. When an administrator or authenticated user later views the updated settings, the injected script executes, creating a stored Cross\u2011Site Scripting (XSS) vulnerability. This can compromise the confidentiality, integrity, and availability of the site by allowing execution of arbitrary code within the administrative context.", "risk_and_exploitability": "The CVSS score of 6.1 indicates a medium severity vulnerability. The EPSS score of less than 1% suggests a low overall exploitation probability, and the vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to convince a site administrator to click a forged link or otherwise submit the crafted request, a form of social engineering that is common but not guaranteed."}}}}, "created": "2026-03-11T11:38:24.557372+00:00", "updated": "2026-03-20T14:38:22.895846+00:00", "vendors": ["latepoint", "latepoint$PRODUCT$latepoint_\u2013_calendar_booking_plugin_for_appointments_and_events", "wordpress", "wordpress$PRODUCT$wordpress"]}