Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.4
LatePoint Plugin for WordPress: Malicious Code Injection Possible
CVE-2026-4785
Summary
An attacker with contributor-level access to a WordPress site using the LatePoint plugin can inject malicious code that will run when users visit specific pages, potentially leading to unauthorized actions. This issue affects versions up to 5.3.0. To fix, update the plugin to a version higher than 5.3.0.
Original title
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources]...
Original description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the 'items' parameter is set to 'bundles'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
nvd CVSS3.1
6.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/sho...
- https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/sho...
- https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcode...
- https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcode...
- https://plugins.trac.wordpress.org/changeset/3491516/latepoint
- https://www.wordfence.com/threat-intel/vulnerabilities/id/55c5c094-69c0-4e2a-be0...
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 8 Apr 2026