WordPress Plugin Vulnerabilities

LatePoint < 5.3.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the 'items' parameter is set to 'bundles'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Affects Plugins

Plugin icon
latepoint
Fixed in 5.3.1

References

CVE
CVE-2026-4785
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/55c5c094-69c0-4e2a-be0c-fab6f1039309

Classification

Type
XSS
OWASP top 10
A7: Cross-Site Scripting (XSS)
CWE
CWE-79
CVSS
5.5 (Medium)

Miscellaneous

Original Researcher
zaim
Verified
No
WPVDB ID
cb944a39-70b6-489b-be9f-a6d82a3693ce

Timeline

Publicly Published
2026-04-07 (about 1 month ago)
Added
2026-04-07 (about 1 month ago)
Last Updated
2026-04-08 (about 1 month ago)

Other

Published
Title
Published
2023-04-24
Title
Tablesome < 1.0.9 - Reflected XSS
Published
2024-04-03
Title
Spectra – WordPress Gutenberg Blocks < 2.10.4 - Authenticated(Contributor+) Cross-Site Scripting via Custom CSS
Published
2024-11-08
Title
Simpul Events by Esotech <= 1.8.5 - Authenticated (Contributor+) Stored Cross-Site Scripting
Published
2025-02-08
Title
Simple add pages or posts <= 2.0.0 - Authenticated (Administrator+) Stored Cross-Site Scripting
Published
2023-05-23
Title
Ultimate Dashboard < 3.7.6 - Admin+ Stored XSS