LatePoint WordPress Plugin: Attackers can trick admins into adding malicious scripts

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.1

LatePoint WordPress Plugin: Attackers can trick admins into adding malicious scripts

CVE-2026-2324

Summary

The LatePoint calendar plugin for WordPress is vulnerable to a security risk. Attackers can trick site administrators into clicking on a link, which allows them to add malicious scripts to the site. To stay safe, update the plugin to the latest version or remove it if you're not using it.

Original title

Original description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

nvd CVSS3.1 6.1

Vulnerability type

CWE-352 Cross-Site Request Forgery (CSRF)

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026