CVE-2026-0617 is a stored cross-site scripting (XSS) vulnerability classified under CWE-79, found in the LatePoint – Calendar Booking Plugin for Appointments and Events, a popular WordPress plugin used for managing calendar bookings and appointments. The vulnerability exists due to insufficient input sanitization and output escaping in the customer profile fields, which allows unauthenticated attackers to inject arbitrary JavaScript code. This malicious code is stored persistently in the plugin's database and executed whenever an administrator views the customer's activity history page within the WordPress admin dashboard. Because the attacker does not require authentication or user interaction, the attack surface is broad, and the vulnerability can be exploited remotely over the network. The impact includes potential theft of administrator session cookies, execution of arbitrary actions with administrator privileges, and possible site compromise. The CVSS v3.1 base score is 7.2, reflecting high severity with network attack vector, low attack complexity, no privileges required, no user interaction, and a scope change affecting confidentiality and integrity. Although no exploits are currently known in the wild, the vulnerability poses a significant risk to sites using the affected plugin versions. The plugin is widely used by small and medium businesses for appointment scheduling, making the vulnerability relevant to many organizations relying on WordPress for customer management and booking services.

The vulnerability allows unauthenticated attackers to execute arbitrary scripts in the context of the WordPress admin interface, potentially leading to theft of administrator credentials, session hijacking, and unauthorized administrative actions. This compromises the confidentiality and integrity of the affected systems and data. Since the plugin is used for appointment and event management, attackers could manipulate booking data or gain further access to sensitive customer information. The scope of the vulnerability extends beyond the plugin itself, as successful exploitation can affect the entire WordPress site and its users. The lack of authentication requirement and ease of exploitation increase the risk of widespread attacks. Organizations relying on this plugin may face operational disruptions, reputational damage, and regulatory compliance issues if customer data is exposed or altered.

Organizations should immediately update the LatePoint plugin to a patched version once available. Until a patch is released, administrators should restrict access to the WordPress admin dashboard to trusted IP addresses and implement web application firewall (WAF) rules to detect and block suspicious input patterns targeting customer profile fields. Input validation and output encoding should be enforced at the application level to prevent script injection. Regularly audit customer profile data for suspicious entries and sanitize existing data. Additionally, enable multi-factor authentication (MFA) for administrator accounts to reduce the risk of account compromise. Monitoring logs for unusual administrator activity can help detect exploitation attempts early. Backup WordPress sites regularly to enable recovery in case of compromise. Finally, consider isolating the booking plugin environment or using alternative appointment scheduling solutions if immediate patching is not feasible.