CVE-2026-0617 – This stored XSS vulnerability in the LatePoint ... (How to Fix)

Q: What is the severity of CVE-2026-0617?

CVE-2026-0617 has a CVSS score of 7.2 (HIGH). This stored XSS vulnerability in the LatePoint WordPress plugin allows unauthenticated attackers to inject malicious scripts into customer profile fields. When administrators view customer activity history, these scripts execute in their browser context. All WordPress sites using LatePoint plugin versions up to 5.2.5 are affected.

📋 TL;DR

This stored XSS vulnerability in the LatePoint WordPress plugin allows unauthenticated attackers to inject malicious scripts into customer profile fields. When administrators view customer activity history, these scripts execute in their browser context. All WordPress sites using LatePoint plugin versions up to 5.2.5 are affected.

💻 Affected Systems

Products:

LatePoint - Calendar Booking Plugin for Appointments and Events

Versions: All versions up to and including 5.2.5

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Requires WordPress installation with LatePoint plugin active. No special configuration needed.

⚠️ Risk & Real-World Impact

🔴

Worst Case

Administrator account compromise leading to full site takeover, data theft, or malware distribution to visitors.

🟠

Likely Case

Session hijacking of administrators, credential theft, or defacement of the WordPress site.

🟢

If Mitigated

Limited impact if administrators use browsers with XSS protection or have additional security layers.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and the vulnerability requires no authentication.

🏢 Internal Only: LOW - The vulnerability requires internet-facing WordPress installation to be exploited.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple XSS payload injection into customer profile fields. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.2.6 or later

Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3449263%40latepoint%2Ftrunk&old=3408660%40latepoint%2Ftrunk&sfp_email=&sfph_mail=

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find LatePoint plugin and click 'Update Now'. 4. Verify version is 5.2.6 or higher.

🔧 Temporary Workarounds

Disable LatePoint Plugin

all

Temporarily disable the vulnerable plugin until patched.

wp plugin deactivate latepoint

Restrict Admin Access

all

Limit administrator access to trusted IP addresses only.

🧯 If You Can't Patch

Implement Content Security Policy (CSP) headers to restrict script execution
Use web application firewall (WAF) rules to block XSS payloads

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin → Plugins → LatePoint → Version. If version is 5.2.5 or lower, you are vulnerable.

Check Version:

wp plugin get latepoint --field=version

Verify Fix Applied:

After update, confirm version is 5.2.6 or higher in plugin details.

📡 Detection & Monitoring

Log Indicators:

Unusual POST requests to customer profile endpoints with script tags
Administrator account activity from unexpected locations

Network Indicators:

Inbound requests containing JavaScript payloads in form fields

SIEM Query:

source="wordpress.log" AND ("latepoint" OR "customer_profile") AND ("<script>" OR "javascript:")

📊 Metadata

CVE ID: CVE-2026-0617

CVSS v3 Score: 7.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: February 3, 2026

Last Updated: February 4, 2026

🤖 AI-assisted analysis, reviewed for accuracy