📄 Description (English)
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer's activity history.
🤖 AI Executive Summary
CVE-2026-0617 is a Stored XSS vulnerability in the LatePoint WordPress booking plugin affecting versions up to 5.2.5. Unauthenticated attackers can inject malicious scripts into customer profile fields that execute when administrators view activity history, potentially leading to credential theft, session hijacking, or malware distribution. A patch is available and should be applied immediately.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: May 8, 2026 19:18
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations using WordPress-based appointment booking systems, particularly in healthcare (clinics, hospitals), beauty and wellness services, professional services, and government appointment portals. Healthcare sector (MOH facilities, private hospitals) and government service centers (Absher, Tawakkalna integrations) are most at risk. Compromised administrator accounts could lead to unauthorized access to sensitive patient/citizen data, regulatory violations under PDPL, and reputational damage.
🏢 Affected Saudi Sectors
Healthcare (MOH, private hospitals, clinics)
Government Services (Absher, Tawakkalna, service centers)
Beauty and Wellness Services
Professional Services (legal, consulting)
Education (universities, training centers)
Hospitality and Tourism
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.8
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all WordPress installations using LatePoint plugin versions ≤5.2.5 across your organization
2. Restrict access to customer profile pages and activity history to authorized administrators only
3. Review access logs for suspicious activity in the past 30 days
PATCHING:
1. Update LatePoint plugin to version 5.2.6 or later immediately
2. Test the update in a staging environment first
3. Clear WordPress cache after patching
COMPENSATING CONTROLS (if immediate patching not possible):
1. Disable the LatePoint plugin temporarily until patching is completed
2. Implement Web Application Firewall (WAF) rules to block script injection attempts in customer profile fields
3. Restrict admin dashboard access to specific IP addresses/VPN only
4. Enable WordPress security plugins with XSS detection capabilities
DETECTION:
1. Monitor WordPress logs for POST requests to customer profile endpoints with script tags (<script>, javascript:, onerror=, etc.)
2. Alert on any administrator access to customer activity history pages
3. Implement Content Security Policy (CSP) headers to prevent inline script execution
4. Review database for suspicious entries in customer profile fields containing HTML/JavaScript
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات WordPress التي تستخدم إضافة LatePoint بإصدارات ≤5.2.5 عبر مؤسستك
2. تقييد الوصول إلى صفحات ملف العميل وسجل النشاط للمسؤولين المصرحين فقط
3. مراجعة سجلات الوصول للنشاط المريب في آخر 30 يوماً
تطبيق التصحيح:
1. تحديث إضافة LatePoint إلى الإصدار 5.2.6 أو أحدث فوراً
2. اختبار التحديث في بيئة التطوير أولاً
3. مسح ذاكرة التخزين المؤقت لـ WordPress بعد التصحيح
الضوابط البديلة (إذا لم يكن التصحيح الفوري ممكناً):
1. تعطيل إضافة LatePoint مؤقتاً حتى يتم تطبيق التصحيح
2. تطبيق قواعد جدار الحماية لتطبيقات الويب لحجب محاولات حقن البرامج النصية في حقول ملف العميل
3. تقييد وصول لوحة التحكم إلى عناوين IP محددة أو VPN فقط
4. تفعيل إضافات أمان WordPress مع قدرات كشف XSS
الكشف:
1. مراقبة سجلات WordPress لطلبات POST إلى نقاط نهاية ملف العميل تحتوي على علامات البرامج النصية
2. التنبيه على أي وصول مسؤول إلى صفحات سجل نشاط العميل
3. تطبيق رؤوس سياسة أمان المحتوى لمنع تنفيذ البرامج النصية المضمنة
4. مراجعة قاعدة البيانات للإدخالات المريبة في حقول ملف العميل تحتوي على HTML/JavaScript
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
A.14.2.1 - Secure development policy
A.14.2.5 - Secure development environment
A.14.3.1 - Testing of security functionality
A.14.3.2 - System change control
A.12.6.1 - Management of technical vulnerabilities
🔵 SAMA CSF
ID.SC-7 - Software, firmware, and information integrity checks
PR.DS-6 - Integrity checking mechanisms
DE.CM-8 - Vulnerability scans
🟡 ISO 27001:2022
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Secure development policy
A.14.3.1 - Testing of security functionality
A.14.3.2 - System change control
🟣 PCI DSS v4.0.1
6.2 - Ensure security patches are installed
6.5.7 - Cross-site scripting (XSS)
11.2 - Vulnerability scanning
🔗 References & Sources 5
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/controllers/activit...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/models/activity_mod...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/views/activities/vi...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=344926...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/22bcfd36-ecf9-4d2c-ac94-94ffa...
security@wordfence.com