Threat Entry Updated 2026-03-11

CVE-2026-2324 - LatePoint – Calendar Booking Plugin for Appointments and Events

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

PLUGIN LatePoint – Calendar Booking Plugin for Appointments and Events

CVE-2026-2324

MEDIUM CVSS 6.1 2026-03-11

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-03-03

CVE-2026-1487 - LatePoint – Calendar Booking Plugin for Appointments and Events

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insufficient validation on the user-supplied JSON data. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary SQL queries on the database that can be used to extract information via time-based techniques, drop tables, or modify data.

PLUGIN LatePoint – Calendar Booking Plugin for Appointments and Events

CVE-2026-1487

MEDIUM CVSS 6.5 2026-03-03

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-03-03

CVE-2026-1566 - LatePoint – Calendar Booking Plugin for Appointments and Events

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the 'wordpress_user_id' field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password.

PLUGIN LatePoint – Calendar Booking Plugin for Appointments and Events

CVE-2026-1566

HIGH CVSS 8.8 2026-03-03

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-1537 - LatePoint – Calendar Booking Plugin for Appointments and Events

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for unauthenticated attackers to view booking information including customer names, email addresses, phone numbers, appointment times, and service details.

PLUGIN LatePoint – Calendar Booking Plugin for Appointments and Events

CVE-2026-1537

MEDIUM CVSS 5.3 2026-02-12

Risk Score

Open Full Technical Breakdown

Threat Entry Updated 2026-04-15

CVE-2026-0617 - LatePoint – Calendar Booking Plugin for Appointments and Events

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history.

PLUGIN LatePoint – Calendar Booking Plugin for Appointments and Events

CVE-2026-0617

HIGH CVSS 7.2 2026-02-03

Risk Score

Open Full Technical Breakdown