[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fhdC4RN13SDLqrfZXyvYEaVo4JCeDjsck4EjNhXXejOg":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":9,"research_fix_diff":27,"research_exploit_outline":28,"research_model_used":29,"research_started_at":30,"research_completed_at":31,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":32},"CVE-2026-0617","latepoint-calendar-booking-plugin-for-appointments-and-events-unauthenticated-stored-cross-site-scripting","LatePoint – Calendar Booking Plugin for Appointments and Events \u003C= 5.2.5 - Unauthenticated Stored Cross-Site Scripting","The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history.","latepoint",null,"\u003C=5.2.5","5.2.6","high",7.2,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:N\u002FS:C\u002FC:L\u002FI:L\u002FA:N","Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')","2026-02-02 18:30:30","2026-02-03 06:38:05",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F22bcfd36-ecf9-4d2c-ac94-94ffa0340c4c?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan - CVE-2026-0617 (LatePoint Stored XSS)\n\n## 1. Vulnerability Summary\nThe **LatePoint – Calendar Booking Plugin for Appointments and Events** (versions \u003C= 5.2.5) is vulnerable to **Unauthenticated Stored Cross-Site Scripting (XSS)**. The vulnerability exists within the customer profile management logic. Specifically, when an unauthenticated user provides information during the booking process or profile creation, the plugin fails to sanitize input fields (such as names or custom fields). This malicious data is stored in the database and later rendered without proper escaping when an administrator views the **Customer Activity History** or **Customer Profile** in the LatePoint dashboard.\n\n## 2. Attack Vector Analysis\n*   **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **AJAX Action:** `latepoint_route_call` (via `wp_ajax_nopriv_latepoint_route_call`)\n*   **Vulnerable Route:** `customers__save` (inferred from LatePoint's routing system)\n*   **Payload Parameter:** `params[first_name]`, `params[last_name]`, or custom field parameters within the `params` array.\n*   **Authentication Level:** Unauthenticated (Nopriv).\n*   **Preconditions:** The plugin must be active. A booking form or registration page must be accessible to the public (usually via shortcode).\n\n## 3. Code Flow (Inferred)\n1.  **Entry Point:** An unauthenticated user sends a POST request to `admin-ajax.php` with the action `latepoint_route_call`.\n2.  **Routing:** The `LatePoint\\Lib\\Router::route()` method (or similar) processes the `route_name` parameter (e.g., `customers__save`).\n3.  **Controller:** The request is dispatched to `LatePoint\\Controllers\\CustomersController::save()`.\n4.  **Processing:** The controller extracts data from the `params` array. It likely uses `LatePoint\\Models\\Customer` to save the data.\n5.  **Sink (Storage):** The data is saved to the `wp_latepoint_customers` database table without adequate sanitization (e.g., failing to use `sanitize_text_field`).\n6.  **Sink (Output):** An administrator logs in and navigates to **LatePoint -> Customers -> [Customer Name] -> Activity** or the general **LatePoint -> Dashboard -> Activity Feed**. The plugin fetches the malicious string and echoes it into the HTML via a view file (e.g., `lib\u002Fviews\u002Fcustomers\u002Findex.php` or `lib\u002Fviews\u002Factivities\u002Findex.php`) without using `esc_html()`.\n\n## 4. Nonce Acquisition Strategy\nLatePoint uses a centralized AJAX routing system that typically requires a nonce for security, even for unauthenticated actions.\n\n1.  **Identify Shortcode:** The plugin uses `[latepoint_booking_form]` or `[latepoint_book_button]` to display the booking interface.\n2.  **Setup Page:** Create a public page containing this shortcode.\n3.  **Navigate:** Use `browser_navigate` to reach that page.\n4.  **Extract Nonce:** LatePoint localizes its settings into a global JavaScript object. Use `browser_eval` to extract the nonce.\n    *   **Variable Path:** `window.latepoint_helper?.route_nonce` or `window.latepoint_helper?.nonce`.\n5.  **Action Check:** If `wp_verify_nonce` is called with the action `latepoint_route_call`, the extracted nonce will be valid for the exploit request.\n\n## 5. Exploitation Strategy\n### Step-by-Step Plan:\n1.  **Initialize Environment:** Ensure LatePoint is configured with at least one active Service, Agent, and Location (required for the booking form to initialize).\n2.  **Create Nonce Page:** Use WP-CLI to create a page with the booking shortcode.\n3.  **Extract Nonce:** Access the page via Playwright and extract the `route_nonce`.\n4.  **Inject Payload:** Send a POST request to the AJAX endpoint to create\u002Fupdate a customer profile containing the XSS payload.\n\n### HTTP Request (Exploit):\n*   **Method:** `POST`\n*   **URL:** `{{base_url}}\u002Fwp-admin\u002Fadmin-ajax.php`\n*   **Headers:** `Content-Type: application\u002Fx-www-form-urlencoded`\n*   **Body:**\n    ```\n    action=latepoint_route_call\n    &route_name=customers__save\n    &route_nonce={{extracted_nonce}}\n    &params[first_name]=\u003Cimg src=x onerror=alert(\"XSS_FIRST_NAME\")>\n    &params[last_name]=\u003Cscript>console.log(\"XSS_LAST_NAME\")\u003C\u002Fscript>\n    &params[email]=attacker@example.com\n    &params[password]=Password123!\n    ```\n\n## 6. Test Data Setup\n1.  **Plugin Setup:**\n    ```bash\n    wp plugin activate latepoint\n    # Ensure dependencies like services exist so the form loads\n    wp eval \"LatePoint\\Helpers\\DatabaseHelper::install_default_data();\"\n    ```\n2.  **Page Setup:**\n    ```bash\n    wp post create --post_type=page --post_title=\"Booking\" --post_status=publish --post_content='[latepoint_booking_form]'\n    ```\n3.  **Verification of Frontend:** Confirm the booking form is visible at `\u002Fbooking`.\n\n## 7. Expected Results\n*   The `admin-ajax.php` response should indicate success (e.g., `{\"status\": \"success\", \"message\": \"Customer Saved\"}`).\n*   When an administrator navigates to the LatePoint dashboard (`\u002Fwp-admin\u002Fadmin.php?page=latepoint`), the `alert(\"XSS_FIRST_NAME\")` should execute.\n*   Specifically, checking the \"Customers\" list or \"Activity\" log will trigger the payload.\n\n## 8. Verification Steps\n1.  **Database Check:**\n    ```bash\n    wp db query \"SELECT first_name FROM wp_latepoint_customers WHERE email='attacker@example.com'\"\n    ```\n    Confirm the output contains the raw `\u003Cimg src=x ...>` tag.\n2.  **Admin UI Simulation:**\n    *   Navigate to the admin dashboard using `browser_navigate`.\n    *   Go to `\u002Fwp-admin\u002Fadmin.php?page=latepoint&route_name=customers__index`.\n    *   Check for the execution of the JS payload or use `browser_eval` to check if the payload exists in the DOM:\n        ```javascript\n        document.body.innerHTML.includes('\u003Cimg src=x onerror=alert(\"XSS_FIRST_NAME\")>')\n        ```\n\n## 9. Alternative Approaches\n*   **Custom Fields:** If `first_name` is sanitized in some versions, target \"Custom Fields\" which are often handled dynamically.\n    *   **Route:** `custom_fields__save`\n*   **Booking Comments:** If profile saving is restricted, inject the payload into the `notes` or `comments` field during a booking creation (`route_name=bookings__save_booking`).\n*   **Bypass Nonce:** Check if the plugin calls `check_ajax_referer` with `die=false`. If so, the exploit may work without a valid nonce by simply omitting the `route_nonce` parameter.","The LatePoint plugin for WordPress is vulnerable to unauthenticated stored Cross-Site Scripting (XSS) due to insufficient sanitization of customer profile data during the booking or registration process. This allows attackers to inject malicious JavaScript into fields like first_name, which then executes when an administrator views the customer's profile or activity log in the backend dashboard.","--- a\u002Flib\u002Fcontrollers\u002Fcustomers_controller.php\n+++ b\u002Flib\u002Fcontrollers\u002Fcustomers_controller.php\n@@ -100,7 +100,11 @@\n     public function save() {\n         $params = $this->get_params();\n+        \u002F\u002F Sanitize customer profile fields before saving\n+        if (isset($params['first_name'])) $params['first_name'] = sanitize_text_field($params['first_name']);\n+        if (isset($params['last_name'])) $params['last_name'] = sanitize_text_field($params['last_name']);\n+\n         $customer = new Model_Customer();\n         $customer->set_data($params);\n         if ($customer->save()) {\n--- a\u002Flib\u002Fviews\u002Factivities\u002Findex.php\n+++ b\u002Flib\u002Fviews\u002Factivities\u002Findex.php\n@@ -25,7 +25,7 @@\n-    \u003Cdiv class=\"activity-name\">\u003C?php echo $activity->customer->full_name; ?>\u003C\u002Fdiv>\n+    \u003Cdiv class=\"activity-name\">\u003C?php echo esc_html($activity->customer->full_name); ?>\u003C\u002Fdiv>","1. Locate a public page on the target WordPress site that contains the LatePoint booking form (rendered by the [latepoint_booking_form] shortcode).\n2. Extract the 'route_nonce' security token from the 'window.latepoint_helper' global JavaScript object localized on that page.\n3. Send an unauthenticated AJAX POST request to '\u002Fwp-admin\u002Fadmin-ajax.php' using the action 'latepoint_route_call'.\n4. In the request body, set 'route_name' to 'customers__save', provide the valid 'route_nonce', and populate the 'params[first_name]' or 'params[last_name]' parameter with a malicious XSS payload (e.g., \u003Cimg src=x onerror=alert(document.cookie)>).\n5. The payload is stored in the database. When an administrator logs into the dashboard and navigates to the LatePoint 'Customers' index or 'Activity' feed, the script will execute in their browser session.","gemini-3-flash-preview","2026-04-27 16:58:32","2026-04-27 17:00:34",{"type":33,"vulnerable_version":34,"fixed_version":11,"vulnerable_browse":35,"vulnerable_zip":36,"fixed_browse":37,"fixed_zip":38,"all_tags":39},"plugin","5.2.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags\u002F5.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatepoint.5.2.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags\u002F5.2.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatepoint.5.2.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags"]