CVE-2025-6941 is a stored cross-site scripting (XSS) vulnerability identified in the LatePoint – Calendar Booking Plugin for Appointments and Events, a popular WordPress plugin used for managing calendar bookings and appointments. The vulnerability exists due to improper neutralization of input during web page generation, specifically involving the 'id' parameter of the 'latepoint_resources' shortcode. All plugin versions up to and including 5.1.94 are affected. The root cause is insufficient input sanitization and output escaping, which allows authenticated users with Contributor-level privileges or higher to inject arbitrary JavaScript code into pages. When other users access these pages, the malicious scripts execute in their browsers, potentially leading to session hijacking, privilege escalation, or unauthorized actions performed with the victim's credentials. The vulnerability does not require user interaction beyond page access and does not affect availability but compromises confidentiality and integrity. The CVSS v3.1 base score is 6.4, reflecting network attack vector, low attack complexity, required privileges (low), no user interaction, and a scope change. No public exploit code has been reported yet. The vulnerability was published on September 30, 2025, and assigned by Wordfence. Due to the widespread use of WordPress and the plugin's functionality in appointment management, this vulnerability poses a significant risk to websites relying on LatePoint for scheduling.

The impact of CVE-2025-6941 is primarily on the confidentiality and integrity of affected websites and their users. Attackers with Contributor-level access can inject persistent malicious scripts that execute in the context of other users' browsers, potentially stealing authentication cookies, session tokens, or other sensitive data. This can lead to account takeover, unauthorized actions such as booking manipulation or data exfiltration, and distribution of malware to site visitors. Since the vulnerability affects a widely used WordPress plugin for appointment scheduling, organizations in sectors like healthcare, education, professional services, and customer support that rely on LatePoint could see disruption of trust and service integrity. Although availability is not directly impacted, the reputational damage and potential regulatory consequences from data breaches can be severe. The requirement for authenticated access limits the attack surface but does not eliminate risk, especially in environments with many contributors or where account compromise is possible. The vulnerability's scope change means that the attack can affect users beyond the initial attacker, amplifying its impact.

To mitigate CVE-2025-6941, organizations should immediately update the LatePoint plugin to a patched version once released by the vendor. Until a patch is available, administrators should restrict Contributor-level access and above to trusted users only, minimizing the risk of malicious script injection. Implementing a Web Application Firewall (WAF) with rules to detect and block suspicious input patterns in the 'id' parameter can help prevent exploitation. Additionally, applying Content Security Policy (CSP) headers can limit the execution of unauthorized scripts in browsers. Regularly auditing user roles and permissions to enforce the principle of least privilege reduces the attack surface. Monitoring logs for unusual shortcode usage or unexpected content changes can provide early detection. Finally, educating users about the risks of XSS and encouraging the use of multi-factor authentication (MFA) can help mitigate the consequences of compromised accounts.