CVE-2026-7332: LatePoint WordPress Plugin XSS Vulnerability

CVE-2026-7332 Overview

CVE-2026-7332 is a Stored Cross-Site Scripting (XSS) vulnerability [CWE-79] affecting the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress. The flaw exists in all versions up to and including 5.5.0 and is triggered through the booking_form_page_url parameter. Insufficient input sanitization and output escaping allow unauthenticated attackers to inject arbitrary web scripts that execute when users access affected pages. The malicious payload is written through the latepoint_order_intent_created action hook, which fires before Stripe Connect account validation, so a configured Stripe integration is not required for exploitation.

Critical Impact

Unauthenticated attackers can store JavaScript payloads that execute in administrator browsers, enabling session hijacking, account takeover, and arbitrary actions in the WordPress admin context.

Affected Products

• LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress
• All versions up to and including 5.5.0
• Installations regardless of whether Stripe Connect is configured

Discovery Timeline

• 2026-05-06 - CVE-2026-7332 published to NVD
• 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2026-7332

Vulnerability Analysis

The vulnerability is a stored XSS issue rooted in how the LatePoint plugin handles the booking_form_page_url parameter during order intent creation. When a request reaches the Stripe Connect controller, the plugin invokes the latepoint_order_intent_created action hook before validating the Stripe Connect account ID. The activities controller and activities_helper.php then persist the supplied URL value into a database activity log without applying sufficient sanitization or output escaping.

When any user, including a site administrator, later views a page that renders the stored activity entry, the injected script executes in their browser session. Because the entry point is unauthenticated and storage is persistent, a single request can plant a payload that runs across multiple victims and sessions.

Root Cause

The root cause is improper neutralization of input during web page generation. The plugin trusts the booking_form_page_url value passed into the order intent flow and writes it to the activity log without escaping. Output rendering does not apply contextual encoding such as esc_url() or esc_html(), so attacker-controlled markup survives the round trip from request to display.

Attack Vector

An unauthenticated remote attacker submits a crafted booking-related request that includes a malicious booking_form_page_url value containing JavaScript. The latepoint_order_intent_created hook fires and persists the activity entry before Stripe validation logic runs, so the attack succeeds even on sites that have not configured a Stripe Connect account ID. When an administrator or other user opens the activity log or any page that renders the stored value, the script executes in their authenticated context. Refer to the Wordfence Vulnerability Analysis and the LatePoint Activities Controller Code for the affected code paths.

Detection Methods for CVE-2026-7332

Indicators of Compromise

• Activity log entries in the LatePoint database tables containing <script>, javascript:, onerror=, or other HTML/JS markup in the URL field.
• Unexpected outbound requests from administrator browsers to attacker-controlled domains immediately after viewing booking activity pages.
• New or modified WordPress administrator accounts created shortly after admin access to LatePoint activity views.

Detection Strategies

• Inspect HTTP request logs for POST traffic to LatePoint order intent endpoints carrying booking_form_page_url parameters with non-URL characters.
• Run database queries against the LatePoint activities table to flag rows whose URL columns contain angle brackets, event handlers, or javascript: schemes.
• Correlate WordPress admin session activity with anomalous DOM events or script-loading errors reported by browser protections.

Monitoring Recommendations

• Enable WordPress audit logging for plugin activity tables and alert on writes containing HTML control characters in URL fields.
• Monitor web server logs for unauthenticated requests targeting LatePoint controllers and rate-limit unusual sources.
• Track plugin version inventory across managed WordPress sites and alert when LatePoint versions <= 5.5.0 are present.

How to Mitigate CVE-2026-7332

Immediate Actions Required

• Update the LatePoint plugin to a version newer than 5.5.0 that includes the fix referenced in the LatePoint Changeset Overview.
• Audit the LatePoint activity log table and remove any entries containing script tags or unexpected HTML in URL fields.
• Force password resets and review session tokens for WordPress administrators who accessed the activity log while a vulnerable version was installed.

Patch Information

The vendor addressed the issue in the LatePoint plugin trunk after version 5.5.0. The fix introduces proper sanitization and output escaping for the booking_form_page_url parameter and tightens validation in the order intent flow. Site operators should upgrade through the WordPress plugin updater or by replacing the plugin files with the patched release referenced in the trac changeset.

Workarounds

• Deactivate and remove the LatePoint plugin until the patched version can be installed.
• Deploy a Web Application Firewall (WAF) rule that blocks requests to LatePoint endpoints where booking_form_page_url contains <, >, or javascript: substrings.
• Restrict access to WordPress admin URLs by IP allowlist to limit who can render stored activity entries until patching is complete.

# Configuration example
# Example WAF rule snippet (ModSecurity-style) blocking script payloads
# in the booking_form_page_url parameter for LatePoint endpoints
SecRule ARGS:booking_form_page_url "@rx (?i)(<script|javascript:|onerror=|onload=)" \
    "id:1026732,phase:2,deny,status:403,log,\
     msg:'CVE-2026-7332 LatePoint XSS attempt blocked'"