Plugin icon

LatePoint – Calendar Booking Plugin for Appointments and Events

latepoint

Vulnerabilities:

17

Last Updated:

March 31, 2026

Active Installs:

100000

Published
Title
Fixed in
CVSS
Published
2026-03-23
Title
LatePoint – Calendar Booking Plugin for Appointments and Events < 5.2.7 - Authenticated (Subscriber+) Insecure Direct Object Reference
Fixed in
Fixed in 5.2.7
CVSS
4.3 (medium)
Published
2026-03-10
Title
LatePoint – Calendar Booking Plugin for Appointments and Events < 5.2.8 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting
Fixed in
Fixed in 5.2.8
CVSS
6.1 (medium)
Published
2026-03-02
Title
LatePoint < 5.2.8 - Authenticated (Administrator+) SQL Injection via JSON Import
Fixed in
Fixed in 5.2.8
CVSS
6.5 (medium)
Published
2026-03-02
Title
LatePoint < 5.2.8 - Agent+ Privilege Escalation
Fixed in
Fixed in 5.2.8
CVSS
7.2 (high)
Published
2026-02-13
Title
LatePoint – Calendar Booking Plugin for Appointments and Events < 5.2.6 - Cross-Site Request Forgery
Fixed in
Fixed in 5.2.6
CVSS
4.3 (medium)
Published
2026-02-11
Title
LatePoint – Calendar Booking Plugin for Appointments and Events < 5.2.7 - Missing Authorization to Booking Details Exposure
Fixed in
Fixed in 5.2.7
CVSS
5.3 (medium)
Published
2026-02-02
Title
LatePoint < 5.2.6 - Unauthenticated Stored XSS
Fixed in
Fixed in 5.2.6
CVSS
7.1 (high)
Published
2025-09-29
Title
LatePoint < 5.2.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Fixed in
Fixed in 5.2.0
CVSS
6.4 (medium)
Published
2025-09-29
Title
LatePoint < 5.2.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Fixed in
Fixed in 5.2.0
CVSS
5.5 (medium)
Published
2025-09-29
Title
LatePoint < 5.2.0 - Account Takeover via CSRF
Fixed in
Fixed in 5.2.0
CVSS
8.8 (high)
Published
2025-09-29
Title
LatePoint < 5.2.0 - Unauthenticated Authentication Bypass
Fixed in
Fixed in 5.2.0
CVSS
8.2 (high)
Published
2025-07-23
Title
Latepoint < 5.1.94 - Unauthenticated LFI
Fixed in
Fixed in 5.1.94
CVSS
6.8 (medium)
Published
2025-05-13
Title
Latepoint < 5.1.93 - Unauthenticated Insecure Direct Object Reference
Fixed in
Fixed in 5.1.93
CVSS
5.3 (medium)
Published
2025-03-27
Title
LatePoint < 5.1.7 - Authenticated (Contributor+) Stored Cross-Site Scripting
Fixed in
Fixed in 5.1.7
CVSS
6.4 (medium)
Published
2024-09-24
Title
LatePoint < 5.0.13 - Authentication Bypass
Fixed in
Fixed in 5.0.13
CVSS
8.1 (high)
Published
2024-09-20
Title
LatePoint < 5.0.12 - Unauthenticated Arbitrary User Password Change via SQL Injection
Fixed in
Fixed in 5.0.12
CVSS
9.8 (critical)
Published
2024-06-13
Title
LatePoint Plugin < 4.9.9.1 - Missing Authorization and Sensitive Information Exposure via IDOR
Fixed in
Fixed in 4.9.9.1
CVSS
9.1 (critical)