CVE-2026-2324
CSRF Vulnerability in LatePoint WordPress Plugin Allows Settings Manipulation
Publication date: 2026-03-11
Last updated on: 2026-03-11
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| latepoint | calendar_booking_plugin | to 5.2.7 (inc) |
| latepoint | calendar_booking_plugin | 5.2.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-2324 is a vulnerability in the LatePoint Calendar Booking Plugin for WordPress, affecting all versions up to and including 5.2.7. It is a Cross-Site Request Forgery (CSRF) issue caused by missing or incorrect nonce validation in the reload_preview() function. This flaw allows unauthenticated attackers to trick a site administrator into performing unintended actions, such as updating settings or injecting malicious web scripts, by sending forged requests.
How can this vulnerability impact me? :
This vulnerability can allow attackers to perform unauthorized actions on your WordPress site without authentication by exploiting the administrator's session. Specifically, attackers can update plugin settings or inject malicious scripts, potentially leading to privilege escalation, unauthorized data manipulation, or cross-site scripting (XSS) attacks. This compromises the security and integrity of your website and can expose sensitive data or disrupt normal operations.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
To mitigate the CVE-2026-2324 vulnerability in the LatePoint WordPress plugin, you should immediately update the plugin to version 5.2.8 or later.
This update includes multiple security fixes that prevent unauthorized mass assignment, enhance SQL injection protections, and improve content sanitization to mitigate cross-site scripting risks.
- Update LatePoint plugin to version 5.2.8 or newer.
- Ensure that only authenticated admin users can assign sensitive fields like wordpress_user_id.
- Verify that your system applies the updated SQL statement validation to block dangerous keywords such as SELECT and UNION.
- Check that content sanitization uses safe methods like wp_kses_post and wp_strip_all_tags to prevent XSS.