CVE-2026-4785 Overview
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to and including 5.3.0. The vulnerability exists in the button_caption parameter of the [latepoint_resources] shortcode due to insufficient output escaping when the items parameter is set to bundles. This security flaw allows authenticated attackers with contributor-level access or higher to inject arbitrary web scripts into pages that execute whenever a user accesses an injected page.
Critical Impact
Authenticated attackers can inject persistent malicious scripts that execute in visitors' browsers, potentially leading to session hijacking, credential theft, or malicious redirects affecting all users who view compromised pages.
Affected Products
- LatePoint – Calendar Booking Plugin for Appointments and Events versions up to and including 5.3.0
- WordPress installations using vulnerable LatePoint plugin versions
- Sites with contributor-level or higher user accounts that could be compromised
Discovery Timeline
- April 8, 2026 - CVE-2026-4785 published to NVD
- April 8, 2026 - Last updated in NVD database
Technical Details for CVE-2026-4785
Vulnerability Analysis
This Stored Cross-Site Scripting vulnerability stems from improper output encoding within the LatePoint plugin's shortcode handling functionality. When processing the [latepoint_resources] shortcode, the plugin fails to properly sanitize user-supplied input in the button_caption parameter, specifically when the items parameter is configured to display bundles.
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation). The attack can be executed over the network without user interaction, though it requires the attacker to have at least contributor-level privileges on the WordPress installation. Due to the stored nature of this XSS vulnerability, malicious scripts persist in the database and execute every time a victim views the compromised page, creating potential for widespread impact across site visitors.
Root Cause
The root cause is insufficient output escaping in the shortcode helper functionality. The shortcodes_helper.php file processes user-controlled input from the button_caption parameter without properly encoding special characters before rendering the output in HTML context. This allows attackers to break out of the intended HTML attribute or element context and inject executable JavaScript code. The vulnerability is specifically triggered when the shortcode is configured with items="bundles", indicating a conditional code path where proper sanitization was overlooked.
Attack Vector
The attack requires an authenticated user with at least contributor-level access to the WordPress site. The attacker crafts a malicious [latepoint_resources] shortcode with JavaScript code embedded in the button_caption parameter. When this shortcode is placed in a post or page and the items parameter is set to bundles, the injected script is stored in the database and rendered without proper escaping. Any user who subsequently views the page containing the malicious shortcode will have the attacker's JavaScript executed in their browser context, potentially allowing session theft, phishing attacks, or further site compromise.
The attack does not require any user interaction beyond viewing the affected page. The injected scripts persist until manually removed, making this a particularly dangerous form of XSS as it can affect multiple users over an extended period.
Detection Methods for CVE-2026-4785
Indicators of Compromise
- Presence of unexpected or malicious JavaScript code within LatePoint shortcode parameters in WordPress posts or pages
- Unusual button_caption values containing HTML tags, script elements, or event handlers in [latepoint_resources] shortcodes
- Reports from users of unexpected browser behavior or redirects when viewing booking pages
- Web Application Firewall logs showing XSS-related patterns in requests to pages containing LatePoint shortcodes
Detection Strategies
- Review WordPress database for latepoint_resources shortcodes containing suspicious patterns such as <script>, javascript:, or event handlers like onerror
- Implement Content Security Policy headers to detect and block unauthorized inline script execution
- Deploy web application firewall rules to flag stored XSS patterns in shortcode parameters
- Audit user accounts with contributor-level access or higher for unauthorized modifications to posts containing LatePoint shortcodes
Monitoring Recommendations
- Enable and review WordPress audit logs for post modifications by contributor-level users
- Monitor for unusual JavaScript errors or network requests originating from booking-related pages
- Configure browser-based XSS detection mechanisms and analyze any triggered alerts
- Regularly scan WordPress installations using security plugins that detect stored XSS patterns
How to Mitigate CVE-2026-4785
Immediate Actions Required
- Update LatePoint plugin to a version newer than 5.3.0 that includes the security fix
- Audit existing posts and pages for malicious [latepoint_resources] shortcodes and remove any suspicious content
- Review and restrict contributor-level account access, ensuring only trusted users have this privilege level
- Implement Content Security Policy headers to mitigate the impact of any existing XSS payloads
Patch Information
A patch addressing this vulnerability is available through the WordPress plugin repository. The fix involves proper output escaping of the button_caption parameter in the shortcode helper functionality. For technical details about the code changes, refer to the WordPress LatePoint Changeset 3491516. The Wordfence Vulnerability Report provides additional security advisory information.
Workarounds
- Temporarily disable the LatePoint plugin until the update can be applied if immediate patching is not possible
- Restrict contributor-level access to trusted users only, reducing the attack surface
- Implement web application firewall rules to block common XSS payloads in shortcode parameters
- Use WordPress security plugins that provide real-time XSS detection and blocking capabilities
# Configuration example
# Search WordPress database for potentially malicious LatePoint shortcodes
wp db search "latepoint_resources" --all-tables --format=csv | grep -i "button_caption"
# List all posts containing LatePoint shortcodes for manual review
wp post list --post_type=post,page --format=table | xargs -I {} wp post get {} --field=post_content | grep -l "latepoint_resources"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
