CVE-2026-7448 Overview
CVE-2026-7448 is a Stored Cross-Site Scripting (XSS) vulnerability in the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress. The flaw affects all versions up to and including 5.5.0. The plugin fails to properly sanitize and escape the first_name parameter, allowing unauthenticated attackers to inject arbitrary JavaScript that executes when a user views an affected page. The vulnerability is tracked under CWE-79 and impacts WordPress sites using LatePoint for appointment booking workflows.
Critical Impact
Unauthenticated attackers can store malicious scripts that execute in the browsers of administrators and site visitors, enabling session theft, account takeover, and arbitrary actions performed in the victim's authenticated context.
Affected Products
- LatePoint – Calendar Booking Plugin for Appointments and Events (WordPress)
- All plugin versions through 5.5.0
- WordPress sites that expose the LatePoint booking form to unauthenticated users
Discovery Timeline
- 2026-05-06 - CVE-2026-7448 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-7448
Vulnerability Analysis
The LatePoint plugin accepts customer information through booking forms, including the first_name field tied to the customer model. The plugin stores this input in the database and later renders it across administrative views, activity logs, and email templates. Insufficient input sanitization on intake combined with missing output escaping on render allows arbitrary HTML and JavaScript to persist and execute in the browser of any user who loads an affected page.
Because the booking form is exposed to anonymous visitors, no authentication or user interaction beyond standard form submission is required. Successful exploitation yields script execution in a different security context than the attacker's, which corresponds to the changed scope reflected in the CVSS vector.
Root Cause
The root cause is improper neutralization of input during web page generation. Code paths in lib/controllers/activities_controller.php, lib/helpers/email_helper.php, lib/helpers/replacer_helper.php, and lib/models/customer_model.php handle the first_name value without applying WordPress escaping primitives such as esc_html(), esc_attr(), or wp_kses() before output. See the LatePoint Customer Model Code and the LatePoint Code Change History for the relevant code paths and corrective changeset.
Attack Vector
An unauthenticated attacker submits a booking request and supplies a malicious payload in the first_name field. The payload is stored in the customer record and later rendered in administrator dashboards, activity feeds, and notification emails. When an administrator opens the affected view, the script executes with the administrator's session, enabling cookie theft, CSRF token extraction, plugin or theme modification, and the creation of attacker-controlled administrative users.
A stored payload typically takes the form of an HTML tag containing a JavaScript event handler placed in the customer's first name field. Because the value is reused across multiple rendering contexts, including HTML pages and email bodies generated by the replacer helper, a single submission can trigger execution in several locations. Refer to the Wordfence Vulnerability Report for additional technical context.
Detection Methods for CVE-2026-7448
Indicators of Compromise
- LatePoint customer records where the first_name field contains HTML tags, JavaScript event handlers (onerror, onload, onclick), or <script> markers.
- WordPress administrator account creations or role changes that immediately follow access to LatePoint activity or customer pages.
- Outbound requests from administrator browsers to unfamiliar domains shortly after viewing booking activity logs.
- Modified plugin or theme files with timestamps that correlate to administrator sessions reviewing LatePoint data.
Detection Strategies
- Query the WordPress database for LatePoint customer rows where first_name matches regular expressions for HTML tags or JavaScript keywords.
- Inspect web server access logs for POST requests to LatePoint booking endpoints carrying suspicious payloads in form parameters.
- Review WordPress audit logs for new administrator users, plugin installs, or option changes occurring after access to LatePoint admin views.
- Compare current plugin file hashes against the official 5.5.x release artifacts to identify tampering.
Monitoring Recommendations
- Alert on outbound HTTP requests originating from wp-admin page contexts to domains not on an organizational allowlist.
- Monitor creation of WordPress users with the administrator role and tie alerts to recent LatePoint admin activity.
- Track changes to wp_users, wp_usermeta, and LatePoint customer tables for anomalous content patterns.
How to Mitigate CVE-2026-7448
Immediate Actions Required
- Update the LatePoint plugin to a version later than 5.5.0 that includes the fix referenced in the LatePoint Code Change History.
- Audit LatePoint customer records for stored payloads in the first_name field and remove or sanitize affected entries.
- Rotate WordPress administrator passwords and invalidate active sessions if administrators viewed booking activity prior to patching.
- Review and revoke any unexpected administrator accounts, application passwords, or API keys created during the exposure window.
Patch Information
The vendor addressed the issue in the LatePoint plugin trunk via changeset 3522933. Site operators should update through the WordPress plugin dashboard or replace plugin files with the patched release. Verify the fix by confirming that the affected functions in activities_controller.php, email_helper.php, replacer_helper.php, and customer_model.php apply WordPress escaping helpers when rendering the first_name value.
Workarounds
- If immediate patching is not possible, restrict access to the LatePoint booking form using a Web Application Firewall (WAF) rule that filters HTML and JavaScript syntax in the first_name parameter.
- Apply a Content Security Policy (CSP) on WordPress admin pages that disallows inline script execution to limit the impact of stored payloads.
- Disable the LatePoint plugin until the patched version is deployed if booking functionality is non-essential.
# Example WAF rule (ModSecurity) to block script payloads in the first_name parameter
SecRule ARGS:first_name "@rx (?i)(<script|on\w+\s*=|javascript:)" \
"id:1026744801,phase:2,deny,status:403,log,\
msg:'CVE-2026-7448 LatePoint first_name XSS payload blocked'"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
