The LatePoint plugin for WordPress versions up to 5.5.0 suffers from a stored XSS vulnerability due to a failure in sanitizing input parameters (first_name, last_name, phone, notes) on the customer cabinet profile update endpoint. The OsCustomerModel class does not override the params_to_sanitize() method, causing set_data() to store raw, unsanitized values in the database. Later, the generate_preview() function injects these stored values into notification template HTML using str_replace() without applying esc_html() or equivalent escaping functions. This allows authenticated attackers with customer-level privileges or higher to inject arbitrary JavaScript that executes in the context of administrators or agents when they preview notification templates referencing customer variables.

An attacker with authenticated customer-level access can inject malicious scripts that execute in the browsers of administrators or agents viewing notification template previews. This can lead to unauthorized actions performed with elevated privileges, data theft, or session hijacking within the administrative interface. The vulnerability does not affect availability and requires no user interaction beyond previewing the notification template. There are no known active exploits reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict customer-level user privileges where possible and avoid previewing notification templates that include customer variables. Monitor vendor channels for updates and apply patches promptly once available.