Where should operators start on this Plugin hub?

Start with the priority CVE quick links, then open the full report for affected versions, remediation notes, CVSS vectors, and source references.

Plugin Vulnerability Hub

Plugin 28 known issues Latest disclosed May 13, 2026

LatePoint – Calendar Booking Plugin for Appointments and Events Vulnerabilities

Q: How many LatePoint – Calendar Booking Plugin for Appointments and Events vulnerabilities have patch guidance?

28 of 28 tracked LatePoint – Calendar Booking Plugin for Appointments and Events records include a published patch path.

Review known vulnerability records for the WordPress plugin LatePoint – Calendar Booking Plugin for Appointments and Events (`latepoint`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-5365, CVE-2026-7652 and CVE-2026-7448, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed

Known Records

High or Critical

Patch Coverage

100%

Last Updated

May 14, 2026

Related Security Guides

Use these guides while reviewing LatePoint – Calendar Booking Plugin for Appointments and Events fixes

Pair this plugin vulnerability hub with practical WordPress hardening, scanner, and patch workflow guidance.

Hardening

WordPress hardening checklist for exposed plugins

Review patch cadence, privileged access, XML-RPC exposure, backups, and monitoring controls.

Plugin Security

WordPress plugin security basics for patch decisions

Use ownership, update testing, least privilege, and removal criteria to reduce plugin risk.

Scanning

WordPress vulnerability scanner buyer's guide

Compare scanner coverage for plugin CVEs, version detection, alert noise, and remediation workflow.

Patch Decision Workflow

How to prioritize LatePoint – Calendar Booking Plugin for Appointments and Events remediation

Use the hub as a decision layer before opening individual records: confirm whether the issue has a CVE, whether a fixed version exists, and whether the affected range overlaps production installs.

Search-Ready Records

1. Match the Package

Confirm the installed WordPress plugin slug is latepoint before acting on any CVE from this cluster.

2. Sort by Severity

Start with 12 high or critical records, then review medium and unrated findings with public references.

3. Check Patch Evidence

28 records include a patch path; verify compatibility before closing the finding.

4. Monitor Gaps

0 records still lack a listed fixed release, so keep this hub in the review queue.

High-Signal Remediation Targets

CVE-2025-6715 Critical

Local File Inclusion remediation for LatePoint – Calendar Booking Plugin for Appointments and Events

Affected range: Versions up to 5.1.93. Fixed version: 5.1.94.

CVE-2024-8943 Critical

Vulnerability remediation for LatePoint – Calendar Booking Plugin for Appointments and Events

Affected range: Versions up to 5.0.12. Fixed version: 5.0.13.

CVE-2024-8911 Critical

SQL Injection remediation for LatePoint – Calendar Booking Plugin for Appointments and Events

Affected range: Versions up to 5.0.11. Fixed version: 5.0.12.

CVE-2024-2472 Critical

Sensitive Information Exposure remediation for LatePoint – Calendar Booking Plugin for Appointments and Events

Affected range: Versions up to 4.9.9. Fixed version: 4.9.9.1.

Priority CVE Quick Links

Fast paths into LatePoint – Calendar Booking Plugin for Appointments and Events CVE reports

Start with the highest-signal CVE records for this WordPress plugin before scanning the full vulnerability feed.

Indexed CVEs

Tracked CVE	Issue Type	Affected Versions	Fixed Version	CVSS
CVE-2025-6715 LatePoint <= 5.1.93 - Unauthenticated Local File Inclusion	Local File Inclusion	Versions up to 5.1.93	5.1.94	CVSS 9.8
CVE-2024-8943 LatePoint <= 5.0.12 - Authentication Bypass	Vulnerability	Versions up to 5.0.12	5.0.13	CVSS 9.8
CVE-2024-8911 LatePoint <= 5.0.11 - Unauthenticated Arbitrary User Password Change via SQL Injecti...	SQL Injection	Versions up to 5.0.11	5.0.12	CVSS 9.8
CVE-2024-2472 LatePoint Plugin <= 4.9.9 - Missing Authorization and Sensitive Information Exposure...	Sensitive Information Exposure	Versions up to 4.9.9	4.9.9.1	CVSS 9.1
CVE-2026-6741 LatePoint <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator vi...	Privilege Escalation	Versions up to 5.4.1	5.4.2	CVSS 8.8
CVE-2026-1566 LatePoint <= 5.2.7 - Authenticated (Agent+) Privilege Escalation	Privilege Escalation	Versions up to 5.2.7	5.2.8	CVSS 8.8
CVE-2025-7052 LatePoint <= 5.1.94 - Cross-Site Request Forgery to Account Takeover via change_pass...	Cross-Site Request Forgery	Versions up to 5.1.94	5.2.0	CVSS 8.8
CVE-2025-7038 LatePoint <= 5.1.94 - Unauthenticated Authentication Bypass via load_step Function	Vulnerability	Versions up to 5.1.94	5.2.0	CVSS 8.2

CVE-2025-6715 Critical 5.1.94

CVE-2025-6715 LatePoint – Calendar Booking Plugin for Appointments and Events Local File Inclusion

LatePoint <= 5.1.93 - Unauthenticated Local File Inclusion

CVE-2024-8943 Critical 5.0.13

CVE-2024-8943 LatePoint – Calendar Booking Plugin for Appointments and Events Vulnerability

LatePoint <= 5.0.12 - Authentication Bypass

CVE-2024-8911 Critical 5.0.12

CVE-2024-8911 LatePoint – Calendar Booking Plugin for Appointments and Events SQL Injection

LatePoint <= 5.0.11 - Unauthenticated Arbitrary User Password Change via SQL Injection

CVE-2024-2472 Critical 4.9.9.1

CVE-2024-2472 LatePoint – Calendar Booking Plugin for Appointments and Events Sensitive Information Exposure

LatePoint Plugin <= 4.9.9 - Missing Authorization and Sensitive Information Exposure via IDOR

CVE-2026-6741 High 5.4.2

CVE-2026-6741 LatePoint – Calendar Booking Plugin for Appointments and Events Privilege Escalation

LatePoint <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability

CVE-2026-1566 High 5.2.8

CVE-2026-1566 LatePoint – Calendar Booking Plugin for Appointments and Events Privilege Escalation

LatePoint <= 5.2.7 - Authenticated (Agent+) Privilege Escalation

CVE-2025-7052 High 5.2.0

CVE-2025-7052 LatePoint – Calendar Booking Plugin for Appointments and Events Cross-Site Request Forgery

LatePoint <= 5.1.94 - Cross-Site Request Forgery to Account Takeover via change_password() Function

CVE-2025-7038 High 5.2.0

CVE-2025-7038 LatePoint – Calendar Booking Plugin for Appointments and Events Vulnerability

LatePoint <= 5.1.94 - Unauthenticated Authentication Bypass via load_step Function

Coverage Snapshot

What this page helps you verify fast

This hub clusters tracked records for LatePoint – Calendar Booking Plugin for Appointments and Events so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility

28 records include a published patch path, leaving 0 with no listed safe release yet.

Severity Mix

4 critical and 8 high severity findings.

Recent CVEs

CVE-2026-5365, CVE-2026-7652 and CVE-2026-7448

Reference Workflow

Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.

Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

CVE-2026-5365 Medium Patch path listed

CVE-2026-5365: LatePoint <= 5.3.2 - Cross-Site Request Forgery via 'customer_cabinet__request_cancellation' AJAX Route

The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request_cancellatio...

Published

May 13, 2026

Patch Status

5.4.0

Review CVE-2026-5365 affected versions

CVE-2026-7652 Medium Patch path listed

CVE-2026-7652: LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism

The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 Th...

Published

May 08, 2026

Patch Status

5.5.1

Review CVE-2026-7652 affected versions

CVE-2026-7448 High Patch path listed

CVE-2026-7448: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.5.0 due to insuffici...

Published

May 06, 2026

Patch Status

5.5.1

Review CVE-2026-7448 affected versions

Known Vulnerabilities

Reports for LatePoint – Calendar Booking Plugin for Appointments and Events

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-5365

CVE-2026-5365: LatePoint <= 5.3.2 - Cross-Site Request Forgery via 'customer_cabinet__request_cancellation' AJAX Route

The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to and including 5.3.2. This is due to missing nonce verification on the request_cancellation() function. This makes it possible for unauthenticated attackers to cancel a logged-in c...

Published

May 13, 2026

Patched Release

5.4.0

Affected Versions

Versions up to 5.3.2

Next Step

Update to 5.4.0 or newer if supported.

Review CVE-2026-5365 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-7652

CVE-2026-7652: LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism

The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer...

Published

May 08, 2026

Patched Release

5.5.1

Affected Versions

Versions up to 5.5.0

Next Step

Update to 5.5.1 or newer if supported.

Review CVE-2026-7652 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2026-7448

CVE-2026-7448: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated att...

Published

May 06, 2026

Patched Release

5.5.1

Affected Versions

Versions up to 5.5.0

Next Step

Update to 5.5.1 or newer if supported.

Review CVE-2026-7448 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2026-7332

CVE-2026-7332: LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'booking_form_page_url' Parameter

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping....

Published

May 05, 2026

Patched Release

5.5.1

Affected Versions

Versions up to 5.5.0

Next Step

Update to 5.5.1 or newer if supported.

Review CVE-2026-7332 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-7457

CVE-2026-7457: LatePoint <= 5.5.0 - Authenticated (Subscriber+) Stored Cross-Site Scripting via Customer Cabinet Profile Update

The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first_name, last_name, phone, not...

Published

May 05, 2026

Patched Release

5.5.1

Affected Versions

Versions up to 5.5.0

Next Step

Update to 5.5.1 or newer if supported.

Review CVE-2026-7457 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2026-7448

CVE-2026-7448: LatePoint <= 5.5.0 - Unauthenticated Stored Cross-Site Scripting via 'first_name' Parameter

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'first_name' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes...

Published

May 05, 2026

Patched Release

5.5.1

Affected Versions

Versions up to 5.5.0

Next Step

Update to 5.5.1 or newer if supported.

Review CVE-2026-7448 fixed version details Open CVE Reference

Plugin High Patched: Yes CVE-2026-6741

CVE-2026-6741: LatePoint <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, w...

Published

Apr 27, 2026

Patched Release

5.4.2

Affected Versions

Versions up to 5.4.1

Next Step

Update to 5.4.2 or newer if supported.

Review CVE-2026-6741 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-5234

CVE-2026-5234: LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID

The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no auth...

Published

Apr 16, 2026

Patched Release

5.4.0

Affected Versions

Versions up to 5.3.2

Next Step

Update to 5.4.0 or newer if supported.

Review CVE-2026-5234 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-4785

CVE-2026-4785: LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient outpu...

Published

Apr 07, 2026

Patched Release

5.3.1

Affected Versions

Versions up to 5.3.0

Next Step

Update to 5.3.1 or newer if supported.

Review CVE-2026-4785 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-32533

CVE-2026-32533: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Authenticated (Subscriber+) Insecure Direct Object Reference

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.2.6 due to missing validation on a user controlled key. This makes it possible for authenticated atta...

Published

Mar 23, 2026

Patched Release

5.2.7

Affected Versions

Versions up to 5.2.6

Next Step

Update to 5.2.7 or newer if supported.

Review CVE-2026-32533 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-2324

CVE-2026-2324: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it p...

Published

Mar 10, 2026

Patched Release

5.2.8

Affected Versions

Versions up to 5.2.7

Next Step

Update to 5.2.8 or newer if supported.

Review CVE-2026-2324 fixed version details Open CVE Reference

Plugin Medium Patched: Yes CVE-2026-1487

CVE-2026-1487: LatePoint <= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insufficient validation on the user-supplied JSON data. This makes it possible for authen...

Published

Mar 02, 2026

Patched Release

5.2.8

Affected Versions

Versions up to 5.2.7

Next Step

Update to 5.2.8 or newer if supported.

Review CVE-2026-1487 fixed version details Open CVE Reference