CVE-2026-7448

Name of the Vulnerable Software and Affected Versions LatePoint – Calendar Booking Plugin for Appointments and Events versions prior to 5.5.1

Description The plugin is susceptible to Stored Cross-Site Scripting (XSS), a flaw where malicious scripts are permanently stored on the target server. This occurs due to insufficient input sanitization and output escaping in the first name parameter. Unauthenticated attackers can inject arbitrary web scripts into pages, which then execute in the browser of any user who accesses the affected page.

Recommendations Update the plugin to a version later than 5.5.0. As a temporary workaround, restrict or sanitize the input received through the first name parameter to minimize the risk of exploitation.