VulnTitan VulnTitan Security command center
Plugin Vulnerability Hub
Plugin 21 known issues Latest disclosed Apr 16, 2026

LatePoint – Calendar Booking Plugin for Appointments and Events Vulnerabilities

Review known vulnerability records for the WordPress plugin LatePoint – Calendar Booking Plugin for Appointments and Events (`latepoint`), including severity, CVE references, affected versions, and patch status.

Recent tracked CVEs on this page include CVE-2026-5234, CVE-2026-4785 and CVE-2026-32533, so operators can jump from disclosure to patch validation without scanning the full feed first.

View on WordPress.org Back to Feed
Known Records
21
High or Critical
8
Patch Coverage
100%
Last Updated
Apr 16, 2026
Coverage Snapshot

What this page helps you verify fast

This hub clusters every indexed record for LatePoint – Calendar Booking Plugin for Appointments and Events so operators can confirm whether a disclosed issue maps to the installed slug, version range, and patch path.

Patch Visibility
21 records include a published patch path, leaving 0 with no listed safe release yet.
Severity Mix
4 critical and 4 high severity findings.
Recent CVEs
CVE-2026-5234, CVE-2026-4785 and CVE-2026-32533
Reference Workflow
Jump from the hub into the full report when you need remediation notes, exploit context, CVSS vectors, or source references.
Triage First

Open the records most likely to drive action

These recent records surface the CVE strings, patch cues, and direct report links most operators need first.

Known Vulnerabilities

Reports for LatePoint – Calendar Booking Plugin for Appointments and Events

Sorted by latest disclosure date so newly published issues surface first.

Plugin Medium Patched: Yes CVE-2026-5234
LatePoint <= 5.3.2 - Insecure Direct Object Reference to Unauthenticated Sensitive Financial Data Exposure via Sequential Invoice ID

The LatePoint plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.3.2. The vulnerability exists because the OsStripeConnectController::create_payment_intent_for_transaction action is registered as a public action (no auth...

Published
Apr 16, 2026
Patched Release
5.4.0
Affected Versions
Versions up to 5.3.2
Next Step
Update to 5.4.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-4785
LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient outpu...

Published
Apr 07, 2026
Patched Release
5.3.1
Affected Versions
Versions up to 5.3.0
Next Step
Update to 5.3.1 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-32533
LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Authenticated (Subscriber+) Insecure Direct Object Reference

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.2.6 due to missing validation on a user controlled key. This makes it possible for authenticated atta...

Published
Mar 23, 2026
Patched Release
5.2.7
Affected Versions
Versions up to 5.2.6
Next Step
Update to 5.2.7 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-2324
LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it p...

Published
Mar 10, 2026
Patched Release
5.2.8
Affected Versions
Versions up to 5.2.7
Next Step
Update to 5.2.8 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-1487
LatePoint <= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to SQL Injection via the JSON Import in all versions up to, and including, 5.2.7 due to insufficient validation on the user-supplied JSON data. This makes it possible for authen...

Published
Mar 02, 2026
Patched Release
5.2.8
Affected Versions
Versions up to 5.2.7
Next Step
Update to 5.2.8 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2026-1566
LatePoint <= 5.2.7 - Authenticated (Agent+) Privilege Escalation

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating ne...

Published
Mar 02, 2026
Patched Release
5.2.8
Affected Versions
Versions up to 5.2.7
Next Step
Update to 5.2.8 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-14873
LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Cross-Site Request Forgery

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to the 'call_by_route_name' function in the routing layer only validating user capabilitie...

Published
Feb 13, 2026
Patched Release
5.2.6
Affected Versions
Versions up to 5.2.5
Next Step
Update to 5.2.6 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2026-1537
LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Missing Authorization to Booking Details Exposure

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the load_step() function in all versions up to, and including, 5.2.6. This makes it possible for unauthentica...

Published
Feb 11, 2026
Patched Release
5.2.7
Affected Versions
Versions up to 5.2.6
Next Step
Update to 5.2.7 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2026-0617
LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Unauthenticated Stored Cross-Site Scripting

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes...

Published
Feb 02, 2026
Patched Release
5.2.6
Affected Versions
Versions up to 5.2.5
Next Step
Update to 5.2.6 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-7052
LatePoint <= 5.1.94 - Cross-Site Request Forgery to Account Takeover via change_password() Function

The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.94. This is due to missing nonce validation on the change_password() function of its customer_cabinet__change_password AJAX route. The plugin hooks this endpoi...

Published
Sep 29, 2025
Patched Release
5.2.0
Affected Versions
Versions up to 5.1.94
Next Step
Update to 5.2.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin Medium Patched: Yes CVE-2025-6941
LatePoint <= 5.1.94 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'latepoint_resources' shortcode in all versions up to, and including, 5.1.94 due to insufficient input sanitization...

Published
Sep 29, 2025
Patched Release
5.2.0
Affected Versions
Versions up to 5.1.94
Next Step
Update to 5.2.0 or newer if supported.
Open Full Report Open CVE Reference
Plugin High Patched: Yes CVE-2025-7038
LatePoint <= 5.1.94 - Unauthenticated Authentication Bypass via load_step Function

The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied cus...

Published
Sep 29, 2025
Patched Release
5.2.0
Affected Versions
Versions up to 5.1.94
Next Step
Update to 5.2.0 or newer if supported.
Open Full Report Open CVE Reference