CVE-2026-0617 identifies a stored cross-site scripting (XSS) vulnerability in the LatePoint – Calendar Booking Plugin for Appointments and Events, a popular WordPress plugin used for managing bookings and events. The vulnerability exists due to improper neutralization of input during web page generation, specifically within customer profile fields. Attackers can inject arbitrary JavaScript code into these fields without authentication. When an administrator later views the customer's activity history, the malicious script executes in the administrator's browser context. This can lead to theft of administrative session cookies, unauthorized actions performed with administrator privileges, or redirection to malicious sites. The vulnerability affects all versions up to and including 5.2.5. The CVSS 3.1 score of 7.2 reflects a high-severity issue with network attack vector, low attack complexity, no privileges required, and no user interaction needed. The scope is changed because the vulnerability affects the confidentiality and integrity of the administrative interface. Although no public exploits are currently known, the vulnerability's characteristics make it a prime target for attackers seeking to compromise WordPress sites using LatePoint. The flaw stems from insufficient input sanitization and output escaping, which are fundamental security controls for preventing XSS. This vulnerability highlights the risks of third-party plugins in WordPress environments, especially those handling user-generated content and administrative interfaces.

For European organizations, the impact of CVE-2026-0617 can be significant. LatePoint is widely used in sectors such as healthcare, education, professional services, and hospitality for appointment scheduling and event management. Exploitation could allow attackers to execute malicious scripts in the context of administrative users, potentially leading to session hijacking, unauthorized data access, modification of booking information, or even full site compromise. This can result in data breaches involving personal customer information, disruption of business operations, reputational damage, and regulatory non-compliance under GDPR. Since the vulnerability requires no authentication, attackers can exploit it remotely and anonymously, increasing the risk of widespread attacks. The compromise of administrative accounts could also facilitate further lateral movement within organizational networks. Given the critical role of booking systems in customer interaction and business continuity, exploitation could directly affect service availability and customer trust.

1. Monitor for and apply official patches or updates from the LatePoint plugin developers as soon as they become available. 2. Until a patch is released, restrict administrative access to trusted IP addresses and enforce strong multi-factor authentication to reduce the risk of session hijacking. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious input patterns targeting customer profile fields. 4. Conduct a thorough audit of all customer profile fields and sanitize existing data to remove any malicious scripts. 5. Employ Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the administrative interface. 6. Regularly review and harden WordPress security configurations, including limiting plugin installations to trusted sources and minimizing plugin usage. 7. Educate administrators on recognizing unusual behavior or interface anomalies that could indicate exploitation attempts. 8. Consider isolating the booking plugin’s administrative pages or using separate administrative accounts with limited privileges for booking management. 9. Maintain regular backups of the WordPress site and database to enable rapid recovery in case of compromise.