Vulnerabilities ›

CVE-2026-4785

Medium

CWE-79 — Weakness Type

                    Published: Apr 8, 2026                      ·  Modified: Apr 11, 2026                      ·  Source: NVD                

CVSS v3

6.4

🔗 NVD Official

📄 Description (English)

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'button_caption' parameter in the [latepoint_resources] shortcode in versions up to and including 5.3.0. This is due to insufficient output escaping when the 'items' parameter is set to 'bundles'. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

🤖 AI Executive Summary

The LatePoint WordPress plugin versions up to 5.3.0 contains a Stored XSS vulnerability in the [latepoint_resources] shortcode's 'button_caption' parameter when 'items' is set to 'bundles'. Authenticated contributors and above can inject malicious scripts that execute for all users accessing affected pages.

📄 Description (Arabic)

تحتوي إضافة LatePoint للمكتبات الإلكترونية على ثغرة Stored Cross-Site Scripting في اختصار [latepoint_resources] حيث يمكن للمستخدمين المصرح لهم بمستوى المساهم وما فوقه حقن نصوص برمجية ضارة عبر معامل 'button_caption' عندما يكون 'items' مضبوطاً على 'bundles'. تُنفذ هذه النصوص البرمجية الضارة تلقائياً لجميع المستخدمين الذين يزورون الصفحات المتأثرة.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 13, 2026 10:48

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

healthcare government telecom

🎯 MITRE ATT&CK Techniques

T1190 T1598

⚖️ Saudi Risk Score (AI)

6.0

/ 10.0

🔧 Remediation Steps (English)

Update the LatePoint plugin to version 5.3.1 or later immediately. Review user roles and restrict contributor-level access to trusted personnel only. Audit all pages using [latepoint_resources] shortcodes for injected malicious content and remove any suspicious scripts. Implement Web Application Firewall (WAF) rules to detect and block XSS payloads.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة LatePoint إلى الإصدار 5.3.1 أو أحدث فوراً. راجع أدوار المستخدمين وقيد وصول مستوى المساهم للموظفين الموثوقين فقط. تدقيق جميع الصفحات التي تستخدم اختصارات [latepoint_resources] بحثاً عن محتوى ضار مُحقون وإزالة أي نصوص برمجية مريبة. تطبيق قواعد جدار الحماية لتطبيقات الويب (WAF) للكشف عن حمولات XSS وحجبها.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

5.1.1 5.1.2

🔵 SAMA CSF

CC6.1 CC6.2

🟡 ISO 27001:2022

A.14.2.1 A.14.2.5

🔗 References & Sources 6

🔗

https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/shortcodes...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.10/lib/helpers/shortcodes...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcodes_helpe...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/shortcodes_helpe...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/changeset/3491516/latepoint

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/55c5c094-69c0-4e2a-be0c-fab6f...

security@wordfence.com

📊 CVSS Score

6.4

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeC — Changed

ConfidentialityL — Low / Local

IntegrityL — Low / Local

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.4

CWECWE-79

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-04-08

Source Feed nvd

🇸🇦 Saudi Risk Score

6.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-79

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-4785

💬 Comments

Introduce Yourself

Sign In Required