CVE-2026-1487

Received Received - Intake

SQL Injection in LatePoint Plugin Allows Admin Data Manipulation

Publication date: 2026-03-03

Last updated on: 2026-03-03

Assigner: Wordfence

Description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insufficient validation on the user-supplied JSON data. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary SQL queries on the database that can be used to extract information via time-based techniques, drop tables, or modify data.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-03-03

Last Modified

2026-03-03

Generated

2026-06-19

AI Q&A

2026-03-03

EPSS Evaluated

2026-06-18

NVD

CVE-2026-1487

EUVD

EUVD-2026-9271

Affected Vendors & Products

Vendor	Product	Version / Range
latepoint	calendar_booking_plugin	to 5.2.7 (inc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

The LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress has a vulnerability known as SQL Injection in all versions up to and including 5.2.7.

This vulnerability occurs because the plugin does not properly validate user-supplied JSON data during the JSON Import process.

As a result, authenticated users with Administrator-level access or higher can execute arbitrary SQL queries on the database.

Impact Analysis

An attacker exploiting this vulnerability can extract sensitive information from the database using time-based techniques.

They can also drop database tables or modify data, potentially causing data loss or corruption.

Because the attacker needs Administrator-level access, the impact is significant within environments where such access is granted.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Hi! I’m here to help you understand CVE-2026-1487. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-1487

SQL Injection in LatePoint Plugin Allows Admin Data Manipulation

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart