CVE-2026-7457 Overview
CVE-2026-7457 is a Stored Cross-Site Scripting (XSS) vulnerability in the LatePoint plugin for WordPress, affecting all versions up to and including 5.5.0. The flaw resides in the customer cabinet profile update endpoint, which fails to sanitize raw POST parameters such as first_name, last_name, phone, and notes. Authenticated attackers with customer-level access can inject arbitrary JavaScript that executes in an administrator's or agent's browser when notification templates referencing customer variables are previewed. The vulnerability is tracked under [CWE-79] and was assigned a CVSS score of 6.4.
Critical Impact
Customer-level attackers can inject scripts that execute in privileged administrator and agent browser sessions through the notification preview panel.
Affected Products
- LatePoint plugin for WordPress, all versions up to and including 5.5.0
- LatePoint versions 5.3.1 and 5.5.0 confirmed vulnerable in source references
- LatePoint trunk prior to changeset 3522933
Discovery Timeline
- 2026-05-06 - CVE-2026-7457 published to NVD
- 2026-05-06 - Last updated in NVD database
Technical Details for CVE-2026-7457
Vulnerability Analysis
The vulnerability is a stored XSS issue resulting from two compounding flaws in the LatePoint plugin's data flow. First, the customer cabinet profile update path accepts raw POST parameters without sanitization. Second, the notification preview rendering path injects those stored values into HTML without output escaping. Together, these flaws allow customer-controlled input to reach a privileged DOM context.
An authenticated user with customer privileges can submit JavaScript payloads through profile fields such as first_name, last_name, phone, or notes. The malicious payload is persisted in the database verbatim. When an administrator or agent later previews any notification template that references variables like {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}}, the stored payload executes in the privileged user's browser session.
Root Cause
The OsCustomerModel class does not override the params_to_sanitize() method. As a result, set_data() stores incoming values verbatim in the database. On the output side, generate_preview() substitutes stored customer values into notification template HTML using str_replace() without invoking esc_html() before echoing the result. The combination of missing input sanitization and missing output escaping enables script persistence and execution.
Attack Vector
The attack is remote and requires only customer-level authentication. An attacker registers as a customer or uses an existing customer account, then submits a profile update containing a script payload in any of the affected fields. The payload remains dormant until an administrator or agent opens the notification template preview that interpolates customer variables. At that point, the script executes with the privileges of the previewing user, enabling session theft, administrative action forgery, or further compromise of the WordPress installation.
The vulnerability is described in prose because no verified public exploit code is available. Technical details are documented in the LatePoint Customer Cabinet Controller and the LatePoint Replacer Helper Code.
Detection Methods for CVE-2026-7457
Indicators of Compromise
- LatePoint customer profile records containing HTML tags, <script> elements, or JavaScript event handlers in first_name, last_name, phone, or notes fields.
- Unexpected outbound requests originating from administrator or agent browser sessions shortly after viewing notification template previews.
- New or modified WordPress administrator accounts created shortly after a notification preview was rendered.
Detection Strategies
- Query the LatePoint customer database tables for stored values containing angle brackets, javascript: URIs, or HTML event attributes such as onerror and onload.
- Inspect web server access logs for POST requests to the customer cabinet profile update endpoint that include encoded script payloads.
- Review the LatePoint Process Action Code call paths for unsanitized parameter flow into stored customer records.
Monitoring Recommendations
- Monitor WordPress admin sessions for anomalous DOM activity, unexpected XHR requests, or token exfiltration following access to LatePoint notification settings.
- Alert on creation of new WordPress administrators, plugin installations, or option changes that follow customer profile updates within a short time window.
- Forward WordPress and web server logs to a centralized analytics platform to correlate customer profile edits with subsequent administrative actions.
How to Mitigate CVE-2026-7457
Immediate Actions Required
- Update the LatePoint plugin to a version newer than 5.5.0 that includes the fix referenced in LatePoint Changeset Update.
- Audit existing LatePoint customer records and remove or sanitize any stored values containing HTML or scripting payloads.
- Rotate WordPress administrator and agent session cookies and credentials if customer profile data showed signs of script injection.
Patch Information
The vendor fix is published in changeset 3522933 on the LatePoint plugin trunk. Administrators should upgrade to the patched release distributed through the WordPress plugin repository. Additional context is available in the Wordfence Vulnerability ID 628b3f53 advisory.
Workarounds
- Restrict access to the customer cabinet profile update endpoint behind a Web Application Firewall (WAF) rule that blocks HTML and script characters in first_name, last_name, phone, and notes parameters.
- Disable use of customer variable placeholders such as {{customer_full_name}} and {{customer_notes}} in notification templates until the patch is applied.
- Limit notification template preview access to trusted administrators and avoid previewing templates tied to untrusted customer records.
# Configuration example: WAF rule to block script payloads in LatePoint profile updates
SecRule REQUEST_URI "@contains /latepoint/customer_cabinet" \
"chain,phase:2,deny,status:403,id:1002026,msg:'LatePoint XSS payload blocked'"
SecRule ARGS:first_name|ARGS:last_name|ARGS:phone|ARGS:notes \
"@rx (?i)(<script|javascript:|onerror=|onload=)"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
