{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4785", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-24T17:31:49.689Z", "datePublished": "2026-04-08T03:36:09.316Z", "dateUpdated": "2026-04-08T16:53:33.655Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:33.655Z"}, "affected": [{"vendor": "latepoint", "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.3.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the 'items' parameter is set to 'bundles'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "title": "LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55c5c094-69c0-4e2a-be0c-fab6f1039309?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcodes_helper.php#L272"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/shortcodes_helper.php#L272"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcodes_helper.php#L40"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/shortcodes_helper.php#L40"}, {"url": "https://plugins.trac.wordpress.org/changeset/3491516/latepoint"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "cweId": "CWE-79", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "timeline": [{"time": "2026-03-24T17:47:11.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-07T15:17:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:13:09.433553Z", "id": "CVE-2026-4785", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:14:28.780Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-4785", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T14:13:09.433553Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:14:21.541Z"}}], "cna": {"title": "LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode", "credits": [{"lang": "en", "type": "finder", "value": "Djaidja Moundjid"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.4, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N"}}], "affected": [{"vendor": "latepoint", "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.3.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-24T17:47:11.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-04-07T15:17:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55c5c094-69c0-4e2a-be0c-fab6f1039309?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcodes_helper.php#L272"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/shortcodes_helper.php#L272"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcodes_helper.php#L40"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/shortcodes_helper.php#L40"}, {"url": "https://plugins.trac.wordpress.org/changeset/3491516/latepoint"}], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the 'items' parameter is set to 'bundles'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:53:33.655Z"}}}, "cveMetadata": {"cveId": "CVE-2026-4785", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:53:33.655Z", "dateReserved": "2026-03-24T17:31:49.689Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-04-08T03:36:09.316Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the 'items' parameter is set to 'bundles'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "id": "CVE-2026-4785", "lastModified": "2026-04-27T19:04:22.650", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 2.7, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-08T05:16:06.997", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/shortcodes_helper.php#L272"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/shortcodes_helper.php#L40"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcodes_helper.php#L272"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcodes_helper.php#L40"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3491516/latepoint"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55c5c094-69c0-4e2a-be0c-fab6f1039309?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,5.3.0]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "source": "cna", "vendor": "latepoint"}, "product": "latepoint_\u2013_calendar_booking_plugin_for_appointments_and_events", "vendor": "latepoint"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-08T05:22:09.819329+00:00", "value": {"mitigation_remediation": ["Update the LatePoint plugin to the latest version (5.3.1 or newer) where the button_caption output is properly escaped."], "summary": {"action": "Patch", "impact": "Stored Cross\u2011Site Scripting enabling arbitrary JavaScript execution on pages viewed by users"}, "threat_synthesis": {"affected_systems": "The affected product is the LatePoint \u2013 Calendar Booking Plugin for Appointments and Events, a WordPress plugin. Versions 5.3.0 and older are vulnerable.", "description_and_impact": "The vulnerability is a stored XSS that occurs through the button_caption parameter of the [latepoint_resources] shortcode when the items argument is set to bundles. It is present in LatePoint plugin versions up to and including 5.3.0. An attacker with contributor level or higher can inject malformed script payloads that are written to the post content and later rendered by the plugin. When a user visits a page containing the malicious shortcode, the injected script executes in that user\u2019s browser, potentially facilitating session hijacking, data theft, defacement or malware delivery. This flaw is categorized as CWE\u201179.", "risk_and_exploitability": "The CVSS score of 6.4 indicates moderate severity. The EPSS score is not available and the issue is not listed in the CISA KEV catalog, suggesting it is not widely exploited yet. Exploitation requires an authenticated user with contributor role or higher; the attacker must be able to submit content containing the shortcode. Because the injected script runs for any site visitor that loads the affected page, the impact can be wide\u2011ranging, affecting confidentiality, integrity and availability of the site and its users. The attack vector is therefore an authenticated content injection attack that results in client\u2011side code execution."}}}}, "created": "2026-04-08T19:33:25.857402+00:00", "updated": "2026-04-08T19:44:01.921227+00:00", "vendors": ["latepoint", "latepoint$PRODUCT$latepoint_\u2013_calendar_booking_plugin_for_appointments_and_events", "wordpress", "wordpress$PRODUCT$wordpress"]}