CVE-2026-0617
Stored XSS in LatePoint WordPress Plugin Allows Admin Session Hijack
Publication date: 2026-02-03
Last updated on: 2026-02-03
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| latepoint | calendar_booking_plugin | to 5.2.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability in the LatePoint WordPress plugin (up to version 5.2.5) is a Stored Cross-Site Scripting (XSS) issue. It occurs because the plugin does not properly sanitize or escape input in the customer profile fields. This allows an unauthenticated attacker to inject malicious web scripts that get stored and later executed when an administrator views the customer's activity history within the plugin.
How can this vulnerability impact me? :
This vulnerability can allow attackers to execute arbitrary scripts in the context of an administrator's browser when they view the affected customer activity pages. This can lead to theft of administrator session cookies, unauthorized actions performed on behalf of the administrator, or other malicious activities such as defacement or data theft. Since the attacker does not need to be authenticated, it increases the risk of exploitation.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves stored cross-site scripting (XSS) in the LatePoint WordPress plugin versions up to 5.2.5, specifically via customer profile fields. Detection would involve inspecting the customer profile fields and activity logs for suspicious or unexpected script tags or injected JavaScript code. Since the vulnerability triggers when an administrator views the customer's activity history, monitoring HTTP requests to the admin pages that display these profiles and activity logs for suspicious payloads could help. However, no specific detection commands or automated detection tools are provided in the resources. A practical approach would be to review the database entries in the LatePoint activities or customer profile tables for suspicious content, for example by querying the database directly using SQL commands to search for script tags in relevant fields. Example SQL command to detect suspicious script tags in customer profile fields might be: SELECT * FROM latepoint_customers WHERE customer_profile_fields LIKE '%<script>%'; or searching activity descriptions for suspicious content: SELECT * FROM latepoint_activities WHERE description LIKE '%<script>%'; Note that exact table names may vary. Additionally, monitoring web server logs for unusual requests or payloads targeting the affected plugin pages could help detect exploitation attempts. [5]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the LatePoint plugin to version 5.2.6 or later, where the vulnerability has been fixed by improving output escaping and input sanitization to prevent stored XSS attacks. The update includes enhanced escaping of JSON output in activity logs and nonce checks to prevent CSRF attacks, as well as other security improvements. If upgrading immediately is not possible, as a temporary measure, restrict access to the affected customer profile and activity history pages to trusted administrators only, and avoid viewing suspicious customer profiles. Additionally, consider applying web application firewall (WAF) rules to block common XSS payloads targeting the plugin. Ultimately, updating to the patched version is the recommended and effective mitigation. [3]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in the LatePoint WordPress plugin allows unauthenticated attackers to inject arbitrary web scripts via stored cross-site scripting (XSS) in customer profile fields. This can lead to unauthorized script execution when administrators view customer activity history.
Such a vulnerability can impact compliance with standards like GDPR and HIPAA because it risks unauthorized access or manipulation of personal data, potentially leading to data breaches or exposure of sensitive customer information.
Specifically, GDPR requires organizations to protect personal data against unauthorized access and processing, and HIPAA mandates safeguarding protected health information. An XSS vulnerability that allows script injection could be exploited to compromise these protections.
Therefore, this vulnerability poses a risk to maintaining compliance with these regulations by undermining data confidentiality and integrity.