WP-Safety

LatePoint – Calendar Booking Plugin for Appointments and Events Security & Risk Analysis

wordpress.org/plugins/latepoint

Optimize your appointment scheduling with our plugin. Sync calendars, automate reminders, and keep your bookings organized.

100K active installs v5.2.11 PHP 7.4+ WP 6.5+ Updated Mar 10, 2026
appointmentsbookingcalendareventsscheduling
20
F · Critical Risk
CVEs total18
Unpatched2
Last CVEMar 10, 2026
Plugin page Download
Safety Verdict

Is LatePoint – Calendar Booking Plugin for Appointments and Events Safe to Use in 2026?

Critical Risk — Avoid

Score 20/100

LatePoint – Calendar Booking Plugin for Appointments and Events is critically unsafe with 18 known CVEs, 2 still unpatched. Avoid in production.

18 known CVEs 2 unpatched Last CVE: Mar 10, 2026Updated 24d ago
Risk Assessment

The security posture of the LatePoint plugin version 5.2.11 presents significant concerns. While the static analysis indicates a lack of immediately critical "dangerous functions" or taint flows, several factors point to a weak security foundation. The plugin has a substantial history of vulnerabilities, with 18 known CVEs, including 4 critical and 4 high-severity issues. The fact that 2 CVEs remain unpatched is a major red flag, suggesting active threats could exploit these known weaknesses. The recent vulnerability date (2026-03-10) is also concerning, indicating ongoing security issues. Furthermore, the static analysis reveals 2 unprotected AJAX handlers, representing a direct entry point for attackers without proper authentication. The lack of any output escaping (0% properly escaped) across 13 outputs is a critical vulnerability for Cross-Site Scripting (XSS), allowing attackers to inject malicious scripts into the website. The absence of nonce checks and capability checks on potentially sensitive operations further exacerbates these risks. While the plugin uses prepared statements for most SQL queries, the overall pattern of historical vulnerabilities and critical static analysis findings (unescaped output, unprotected entry points) outweighs the strengths.

Key Concerns

  • Unpatched CVEs present
  • Critical vulnerability in output escaping
  • Unprotected AJAX handlers
  • Missing nonce checks
  • Missing capability checks
  • High number of historical vulnerabilities
Vulnerabilities
18

LatePoint – Calendar Booking Plugin for Appointments and Events Security Vulnerabilities

CVEs by Year

5 CVEs in 2024 · unpatched
2024
7 CVEs in 2025
2025
6 CVEs in 2026
2026
Patched Has unpatched

Severity Breakdown

Critical
4
High
4
Medium
10

18 total CVEs

CVE-2026-2324medium · 6.1Cross-Site Request Forgery (CSRF)

LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting

Mar 10, 2026 Patched in 5.2.8 (1d)
CVE-2026-1487medium · 6.5Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

LatePoint <= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import

Mar 2, 2026 Patched in 5.2.8 (1d)
CVE-2026-1566high · 8.8Improper Privilege Management

LatePoint <= 5.2.7 - Authenticated (Agent+) Privilege Escalation

Mar 2, 2026 Patched in 5.2.8 (1d)
CVE-2025-14873medium · 4.3Cross-Site Request Forgery (CSRF)

LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Cross-Site Request Forgery

Feb 13, 2026 Patched in 5.2.6 (1d)
CVE-2026-1537medium · 5.3Missing Authorization

LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Missing Authorization to Booking Details Exposure

Feb 11, 2026 Patched in 5.2.7 (1d)
CVE-2026-0617high · 7.2Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Unauthenticated Stored Cross-Site Scripting

Feb 2, 2026 Patched in 5.2.6 (1d)
CVE-2025-6941medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

LatePoint <= 5.1.94 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

Sep 29, 2025 Patched in 5.2.0 (1d)
CVE-2025-7038high · 8.2Authentication Bypass Using an Alternate Path or Channel

LatePoint <= 5.1.94 - Unauthenticated Authentication Bypass via load_step Function

Sep 29, 2025 Patched in 5.2.0 (1d)
CVE-2025-7052high · 8.8Cross-Site Request Forgery (CSRF)

LatePoint <= 5.1.94 - Cross-Site Request Forgery to Account Takeover via change_password() Function

Sep 29, 2025 Patched in 5.2.0 (1d)
CVE-2025-6815medium · 5.5Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

LatePoint <= 5.1.94 - Authenticated (Administrator+) Stored Cross-Site Scripting

Sep 29, 2025 Patched in 5.2.0 (1d)
CVE-2025-6715critical · 9.8Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion')

LatePoint <= 5.1.93 - Unauthenticated Local File Inclusion

Jul 23, 2025 Patched in 5.1.94 (28d)
CVE-2025-3769medium · 5.3Authorization Bypass Through User-Controlled Key

Latepoint <= 5.1.92 - Unauthenticated Insecure Direct Object Reference

May 13, 2025 Patched in 5.1.93 (1d)
CVE-2025-30836medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

LatePoint <= 5.1.6 - Authenticated (Contributor+) Stored Cross-Site Scripting

Mar 27, 2025 Patched in 5.1.7 (7d)
CVE-2024-8943critical · 9.8Authentication Bypass Using an Alternate Path or Channel

LatePoint <= 5.0.12 - Authentication Bypass

Sep 24, 2024 Patched in 5.0.13 (14d)
CVE-2024-8911critical · 9.8Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

LatePoint <= 5.0.11 - Unauthenticated Arbitrary User Password Change via SQL Injection

Sep 20, 2024 Patched in 5.0.12 (18d)
CVE-2024-43992medium · 6.4Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

LatePoint <= 4.9.91 - Authenticated (Subscriber+) Stored Cross-Site Scripting

Aug 29, 2024Unpatched
CVE-2024-43945medium · 4.3Cross-Site Request Forgery (CSRF)

LatePoint <= 4.9.91 - Cross-Site Request Forgery

Aug 26, 2024Unpatched
CVE-2024-2472critical · 9.1Authorization Bypass Through User-Controlled Key

LatePoint Plugin <= 4.9.9 - Missing Authorization and Sensitive Information Exposure via IDOR

Jun 13, 2024 Patched in 4.9.9.1 (1d)
Code Analysis
Analyzed Mar 16, 2026

LatePoint – Calendar Booking Plugin for Appointments and Events Code Analysis

Dangerous Functions
0
Raw SQL Queries
1
8 prepared
Unescaped Output
13
0 escaped
Nonce Checks
0
Capability Checks
0
File Operations
0
External Requests
0
Bundled Libraries
0

SQL Query Safety

89% prepared9 total queries

Output Escaping

0% escaped13 total outputs
Attack Surface
2 unprotected

LatePoint – Calendar Booking Plugin for Appointments and Events Attack Surface

Entry Points8
Unprotected2

AJAX Handlers 2

authwp_ajax_latepoint_route_calllatepoint.php:972
noprivwp_ajax_latepoint_route_calllatepoint.php:973

Shortcodes 6

[latepoint_book_button] latepoint.php:1310
[latepoint_book_form] latepoint.php:1311
[latepoint_customer_dashboard] latepoint.php:1312
[latepoint_customer_login] latepoint.php:1313
[latepoint_resources] latepoint.php:1314
[latepoint_calendar] latepoint.php:1315
WordPress Hooks 44
actioninitlatepoint.php:912
actionplugins_loadedlatepoint.php:936
actionafter_setup_themelatepoint.php:943
actioninitlatepoint.php:944
actioninitlatepoint.php:945
actionadmin_menulatepoint.php:947
actionwp_enqueue_scriptslatepoint.php:948
actionadmin_enqueue_scriptslatepoint.php:949
filteradmin_body_classlatepoint.php:950
filterbody_classlatepoint.php:951
filtercron_scheduleslatepoint.php:953
filterhttp_request_argslatepoint.php:957
actionadmin_bar_menulatepoint.php:961
actionwp_loadedlatepoint.php:967
actionadmin_post_latepoint_route_calllatepoint.php:975
actionadmin_post_nopriv_latepoint_route_calllatepoint.php:976
actionlatepoint_clear_old_activity_logslatepoint.php:979
actionlatepoint_on_addon_activatelatepoint.php:982
actionlatepoint_on_addon_deactivatelatepoint.php:983
actionlatepoint_email_processor_settingslatepoint.php:986
filterlogin_redirectlatepoint.php:990
actionquery_varslatepoint.php:994
actionparse_requestlatepoint.php:999
actionadmin_initlatepoint.php:1002
filterdisplay_post_stateslatepoint.php:1004
filterwoocommerce_prevent_admin_accesslatepoint.php:1007
actionlatepoint_model_savelatepoint.php:1010
filterlatepoint_payment_processorslatepoint.php:1014
actionlatepoint_payment_processor_settingslatepoint.php:1015
actionlatepoint_step_payment__pay_contentlatepoint.php:1016
actionlatepoint_order_payment__pay_content_afterlatepoint.php:1017
filterlatepoint_convert_charge_amount_to_requirementslatepoint.php:1019
filterlatepoint_process_payment_for_order_intentlatepoint.php:1020
filterlatepoint_process_payment_for_transaction_intentlatepoint.php:1021
filterlatepoint_transaction_intent_specs_charge_amountlatepoint.php:1022
filterlatepoint_get_all_payment_timeslatepoint.php:1024
filterlatepoint_get_enabled_payment_timeslatepoint.php:1025
filterlatepoint_transaction_is_refund_availablelatepoint.php:1026
filterlatepoint_process_refundlatepoint.php:1027
filterplugin_action_linkslatepoint.php:1028
actionlatepoint_customer_edit_form_afterlatepoint.php:1031
actionsave_postlatepoint.php:1033
actionlatepoint_after_step_contentlatepoint.php:1035
filterhttp_request_host_is_externallatepoint.php:1261

Scheduled Events 2

latepoint_check_if_addons_update_available
latepoint_clear_old_activity_logs
Maintenance & Trust

LatePoint – Calendar Booking Plugin for Appointments and Events Maintenance & Trust

Maintenance Signals

WordPress version tested6.9.4
Last updatedMar 10, 2026
PHP min version7.4
Downloads746K

Community Trust

Rating98/100
Number of ratings74
Active installs100K
Alternatives

LatePoint – Calendar Booking Plugin for Appointments and Events Alternatives

Cal24h

Cal24h

cal24h

A
100

Embed the Cal24h booking experience in WordPress with a shortcode, Gutenberg block, or floating modal.

0 No CVEs
NiftyBukzee – Calendar Booking Plugin for Appointments and Events

NiftyBukzee – Calendar Booking Plugin for Appointments and Events

niftybukzee

A
100

Gain More customers with Quick and Easy 3-step appointment booking with service providers: Calendar, Payments, Google Meet & more.

0 No CVEs
Events Manager – Calendar, Bookings, Tickets, and more!

Events Manager – Calendar, Bookings, Tickets, and more!

events-manager

B
82

Events calendar with bookings, scheduling, appointments, event registration, tickets, recurring events, and venue management.

70K 34 CVEs
Booking Calendar

Booking Calendar

booking

B
82

Original "Booking Calendar" plugin. Easily manage full-day bookings, time-slot appointments, or events in our all-in-one, outstanding booking system.

50K 28 CVEs
SimplyBook.me – Booking and reservations calendar

SimplyBook.me – Booking and reservations calendar

simplybook

A
100

Simply add a booking calendar to your site to schedule bookings, reservations, appointments and to collect payments.

20K No CVEs
Developer Profile

LatePoint – Calendar Booking Plugin for Appointments and Events Developer Profile

LatePoint

1 plugin · 100K total installs

44
trust score
Avg Security Score
20/100
Avg Patch Time
5 days
View full developer profile
Detection Fingerprints

How We Detect LatePoint – Calendar Booking Plugin for Appointments and Events

Patterns used to identify this plugin on WordPress sites during automated security audits and web crawling.

Asset Fingerprints

Asset Paths
/wp-content/plugins/latepoint/public/stylesheets/frontend.css/wp-content/plugins/latepoint/public/stylesheets/frontend_booking_form.css/wp-content/plugins/latepoint/public/stylesheets/frontend_booking_form_responsive.css/wp-content/plugins/latepoint/public/javascripts/frontend.js/wp-content/plugins/latepoint/public/javascripts/vendor/moment.min.js/wp-content/plugins/latepoint/public/javascripts/vendor/moment_timezone.min.js/wp-content/plugins/latepoint/public/javascripts/vendor/fullcalendar.min.js/wp-content/plugins/latepoint/public/javascripts/vendor/vue.js+4 more
Script Paths
/wp-content/plugins/latepoint/public/javascripts/frontend.js
Version Parameters
latepoint/public/stylesheets/frontend.css?ver=latepoint/public/javascripts/frontend.js?ver=

HTML / DOM Fingerprints

CSS Classes
latepoint-booking-formlp-booking-form-wrapperlp-booking-form-steplp-booking-form-agent-selectionlp-booking-form-service-selectionlp-booking-form-date-selectionlp-booking-form-time-selectionlp-booking-form-summary+9 more
HTML Comments
<!-- LatePoint booking form start --><!-- LatePoint booking form end --><!-- LatePoint calendar start --><!-- LatePoint calendar end -->
Data Attributes
data-latepoint-booking-formdata-lp-booking-formdata-lp-agent-iddata-lp-service-iddata-lp-stepdata-lp-date+2 more
JS Globals
LatePointBookingFormLatePointFrontendLatePointCalendar
REST Endpoints
/wp-json/latepoint/v1/booking/prepare/wp-json/latepoint/v1/booking/create/wp-json/latepoint/v1/agents/wp-json/latepoint/v1/services/wp-json/latepoint/v1/availability/wp-json/latepoint/v1/payment/process/wp-json/latepoint/v1/customers
Shortcode Output
[latepoint_booking_form][latepoint_calendar][latepoint_agent_dashboard][latepoint_customer_dashboard]
FAQ

Frequently Asked Questions about LatePoint – Calendar Booking Plugin for Appointments and Events