Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

Latepoint — Vulnerabilities & Security Advisories 24

Browse all 24 CVE security advisories affecting Latepoint. AI-powered Chinese analysis, POCs, and references for each vulnerability.

Latepoint is a WordPress plugin designed to facilitate appointment scheduling and booking management for service-based businesses. Its widespread adoption has made it a frequent target for automated attacks, resulting in twenty-four recorded Common Vulnerabilities and Exposures (CVEs). Historically, the software has suffered from critical flaws including remote code execution, cross-site scripting, and SQL injection, often stemming from insufficient input validation and improper access controls. These vulnerabilities frequently allow unauthenticated attackers to escalate privileges or execute arbitrary commands on compromised servers. While no single catastrophic data breach has been publicly attributed solely to Latepoint, the high volume of exploitable bugs indicates systemic security deficiencies in its development lifecycle. Administrators are strongly advised to maintain strict patching schedules and monitor for unauthorized modifications to ensure the integrity of their booking infrastructure against these persistent threats.

Top products by Latepoint: LatePoint – Calendar Booking Plugin for Appointments and Events LatePoint LatePoint Plugin
CVE IDTitleCVSSSeverityPublished
CVE-2026-7652 LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-640 5.3 Medium2026-05-09
CVE-2026-7332 LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'booking_form_page_url' Parameter — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-79 7.2 High2026-05-06
CVE-2026-7457 LatePoint <= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-79 6.4 Medium2026-05-06
CVE-2026-6741 LatePoint <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-269 8.8 High2026-04-27
CVE-2026-5234 LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-639 5.3 Medium2026-04-17
CVE-2026-4785 LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-79 6.4 Medium2026-04-08
CVE-2026-32533 WordPress LatePoint plugin <= 5.2.6 - Insecure Direct Object References (IDOR) vulnerability — LatePointCWE-639 6.5 Medium2026-03-25
CVE-2026-2324 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-352 6.1 Medium2026-03-11
CVE-2026-1487 LatePoint <= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-89 6.5 Medium2026-03-03
CVE-2026-1566 LatePoint <= 5.2.7 - Authenticated (Agent+) Privilege Escalation — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-269 8.8 High2026-03-02
CVE-2025-14873 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Cross-Site Request Forgery — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-352 4.3 Medium2026-02-14
CVE-2026-1537 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Missing Authorization to Booking Details Exposure — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-862 5.3 Medium2026-02-12
CVE-2026-0617 LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Unauthenticated Stored Cross-Site Scripting — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-79 7.2 High2026-02-03
CVE-2025-7052 LatePoint <= 5.1.94 - Cross-Site Request Forgery to Account Takeover via change_password() Function — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-352 8.8 High2025-09-30
CVE-2025-7038 LatePoint <= 5.1.94 - Unauthenticated Authentication Bypass via load_step Function — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-288 8.2 High2025-09-30
CVE-2025-6941 LatePoint <= 5.1.94 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-79 6.4 Medium2025-09-30
CVE-2025-6815 LatePoint <= 5.1.94 - Authenticated (Administrator+) Stored Cross-Site Scripting — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-79 5.5 Medium2025-09-30
CVE-2025-3769 Latepoint <= 5.1.92 - Unauthenticated Insecure Direct Object Reference — LatePoint – Calendar Booking Plugin for Appointments and EventsCWE-639 5.3 Medium2025-05-14
CVE-2025-30836 WordPress LatePoint plugin <= 5.1.6 - Cross Site Scripting (XSS) vulnerability — LatePointCWE-79 6.5 Medium2025-03-27
CVE-2024-43945 WordPress LatePoint plugin <= 4.9.91 - Cross Site Request Forgery (CSRF) vulnerability — LatePointCWE-352 6.5 Medium2024-10-21
CVE-2024-8943 LatePoint <= 5.0.12 - Authentication Bypass — LatePoint PluginCWE-288 9.8 Critical2024-10-08
CVE-2024-8911 LatePoint <= 5.0.11 - Unauthenticated Arbitrary User Password Change via SQL Injection — LatePoint PluginCWE-89 9.8 Critical2024-10-08
CVE-2024-43992 WordPress LatePoint plugin <= 4.9.91 - Cross Site Scripting (XSS) vulnerability — LatePointCWE-79 6.5 Medium2024-09-17
CVE-2024-2472 LatePoint Plugin <= 4.9.9 - Missing Authorization and Sensitive Information Exposure via IDOR — LatePoint PluginCWE-639 9.1 Critical2024-06-14

This page lists every published CVE security advisory associated with Latepoint. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.