CVE-2026-1487

Name of the Vulnerable Software and Affected Versions LatePoint – Calendar Booking Plugin for Appointments and Events versions up to and including 5.2.7

Description The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is susceptible to SQL Injection through the JSON Import functionality. Insufficient validation of user-supplied JSON data allows authenticated attackers with Administrator-level access or higher to execute arbitrary SQL queries. This could lead to information extraction using time-based techniques, data modification, or table deletion. The vulnerability resides in how the plugin handles the JSON import process. The JSON data is not properly sanitized before being used in database queries.

Recommendations Update LatePoint – Calendar Booking Plugin for Appointments and Events to a version later than 5.2.7.