LatePoint <= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update

CVE	CVE-2026-7457
State	PUBLISHED
Assigner	Wordfence
Source Priority	CVE Program / NVD first with legacy fallback
Published	2026-05-06 08:16:04 UTC
Updated	2026-05-06 08:16:04 UTC
Description	The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database — combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator's or agent's browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed.

Primary CVSS: v3.1 6.4 MEDIUM from [email protected]

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Problem Types: CWE-79 | CWE-79 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Version	Source	Type	Score	Severity	Vector
3.1	[email protected]	Primary	6.4	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N`
3.1	CNA	DECLARED	6.4	MEDIUM	`CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N`

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Source	Vendor	Product	Version	Platforms
CNA	Latepoint	LatePoint Calendar Booking Plugin For Appointments And Events	affected 5.5.0 semver	Not specified

Reference	Source	Link	Tags
plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/misc/process_action.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/replacer_helper.php	[email protected]	plugins.trac.wordpress.org
www.wordfence.com/threat-intel/vulnerabilities/id/628b3f53-decd-47ac-a2d1-339ad...	[email protected]	www.wordfence.com
plugins.trac.wordpress.org/changeset	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/helpers/replacer_helper.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/latepoint/trunk/lib/misc/process_action.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/misc/process_action.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/controllers/customer_cabinet...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet...	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/replacer_helper.php	[email protected]	plugins.trac.wordpress.org
plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_cont...	[email protected]	plugins.trac.wordpress.org
CVE Program record	CVE.ORG	www.cve.org	canonical
NVD vulnerability detail	NVD	nvd.nist.gov	canonical, analysis

CNA: Niv Kochan (en)

Source	Time	Event
CNA	2026-04-29T17:51:01.000Z	Vendor Notified
CNA	2026-05-05T18:29:59.000Z	Disclosed

There are currently no legacy QID mappings associated with this CVE.