Ramon Mateas

**Name of the Vulnerable Software and Affected Versions** LatePoint – Calendar Booking Plugin for Appointments and Events versions prior to 5.5.1 **Description** The plugin is susceptible to Stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. This occurs due to insufficient input sanitization and output escaping in the `first name` parameter. Unauthenticated attackers can inject arbitrary web scripts into pages, which then execute in the browser of any user who accesses the affected page. **Recommendations** Update the plugin to a version later than 5.5.0. As a temporary workaround, restrict or sanitize the input received through the `first name` parameter to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** LatePoint – Calendar Booking Plugin for Appointments and Events versions prior to 5.4.2 **Description** A privilege escalation issue exists due to a missing authorization check in the `execute()` function of the connect-customer-to-wp-user ability. The system only requires the `customer edit` capability, which is granted to the `latepoint agent` role by default, but fails to verify if the target WordPress user ID belongs to a privileged account. This allows authenticated attackers with the `latepoint agent` role to link a LatePoint customer record to an administrator account and reset the administrator's password through the standard customer password-reset process, leading to a full site takeover. **Recommendations** Update the plugin to a version later than 5.4.1.