CVE-2026-7457

Name of the Vulnerable Software and Affected Versions LatePoint versions prior to 5.5.1

Description The LatePoint plugin for WordPress contains a Stored Cross-Site Scripting issue. The problem occurs at the customer cabinet profile update endpoint because the OsCustomerModel does not override params to sanitize(), allowing raw POST parameters first name, last name, phone, and notes to be stored unsanitized in the database via set data(). Additionally, the generate preview() function fails to use esc html() when injecting these values into notification template HTML using str replace(). Authenticated attackers with customer-level access or higher can inject arbitrary web scripts that execute in the browser of an administrator or agent when a notification template referencing variables such as customer full name, customer first name, customer last name, customer phone, or customer notes is previewed.

Recommendations Update the plugin to a version later than 5.5.0.