CVE-2026-7457

The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first name, last name, phone, notes) bypass sanitization because OsCustomerModel does not override params to sanitize(), causing set data() to store unsanitized values verbatim in the database — combined with insufficient output escaping in generate preview(), which injects those stored values into notification template HTML via str replace() without any esc html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator's or agent's browser whenever a notification template referencing customer variables such as {{customer full name}}, {{customer first name}}, {{customer last name}}, {{customer phone}}, or {{customer notes}} is previewed.