LatePoint < 5.2.8 – Authenticated (Administrator+) SQL Injection via JSON Import | CVE 2026-1487 | Plugin Vulnerabilities

Description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insufficient validation on the user-supplied JSON data. This makes it possible for authenticated attackers, with Administrator-level access and above, to execute arbitrary SQL queries on the database that can be used to extract information via time-based techniques, drop tables, or modify data.

Affects Plugins

Fixed in 5.2.8

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/e1bbd339-5eb7-4a62-9c68-bcd76507425c

Classification

Type

SQLI

OWASP top 10

CWE

CVSS

Miscellaneous

Original Researcher

Chiao-Lin Yu (Steven Meow)

Verified

No

WPVDB ID

227cfdec-89ad-4f47-b58c-62b914adb28a

Timeline

Publicly Published

2026-03-02 (about 1 month ago)

Added

2026-03-02 (about 1 month ago)

Last Updated

2026-03-03 (about 1 month ago)

Other

Published

Title

Published

2024-02-16

Title

Piraeus Bank WooCommerce Payment Gateway < 1.7.0 - Unauthenticated SQL Injection

Published

2014-08-01

Title

Booking System <= 1.2 - SQL Injection

Published

2026-03-10

Title

JetBooking < 4.0.3.1 - Unauthenticated SQL Injection via 'check_in_date' Parameter

Published

2023-05-30

Title

Groundhogg < 2.7.11.1 - Admin+ SQLi

Published

2015-07-22

Title

Microblog Poster < 1.6.2 - Authenticated Blind SQL Injection