High severity7.2NVD Advisory· Published Feb 3, 2026· Updated Apr 15, 2026
CVE-2026-0617
CVE-2026-0617
Description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/controllers/activities_controller.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/models/activity_model.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/views/activities/view.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/22bcfd36-ecf9-4d2c-ac94-94ffa0340c4cnvd
News mentions
3- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 13, 2026 to April 19, 2026)Wordfence Blog · Apr 23, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (April 6, 2026 to April 12, 2026)Wordfence Blog · Apr 16, 2026
- Wordfence Intelligence Weekly WordPress Vulnerability Report (March 23, 2026 to March 29, 2026)Wordfence Blog · Apr 2, 2026