PT-2026-22711 · WordPress · Latepoint – Calendar Booking Plugin For Appointments/Events
Chiao-Lin Yu
·
Published
2026-03-03
·
Updated
2026-03-03
·
CVE-2026-1487
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions
LatePoint – Calendar Booking Plugin for Appointments and Events versions up to and including 5.2.7
Description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is susceptible to SQL Injection through the JSON Import functionality. Insufficient validation of user-supplied JSON data allows authenticated attackers with Administrator-level access or higher to execute arbitrary SQL queries. This could lead to information extraction using time-based techniques, data modification, or table deletion. The vulnerability resides in how the plugin handles the JSON import process. The
JSON data is not properly sanitized before being used in database queries.Recommendations
Update LatePoint – Calendar Booking Plugin for Appointments and Events to a version later than 5.2.7.
Fix
SQL injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Latepoint – Calendar Booking Plugin For Appointments/Events