CVE-2026-7332

Name of the Vulnerable Software and Affected Versions LatePoint – Calendar Booking Plugin for Appointments and Events versions prior to 5.5.1

Description The plugin is susceptible to Stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. This occurs due to insufficient input sanitization and output escaping within the booking form page url parameter. Unauthenticated attackers can inject arbitrary web scripts into pages, which then execute when a user accesses them. The issue persists even without a configured Stripe integration because the latepoint order intent created action hook triggers before the Stripe Connect account ID is validated, allowing the malicious activity log entry to be written to the database.

Recommendations Update the plugin to a version later than 5.5.0.