📧 info@ciso.sa | 📱 +966550939344 | Riyadh, Kingdom of Saudi Arabia
About FAQ Contact Us Terms of Service Privacy Policy 🌐 العربية
🔐

Welcome — Sign in or create an account for full access.

🔑 Sign In ✨ Register
🌐 العربية Sign In Create Account
🔧 Scheduled Maintenance — Saturday 2:00-4:00 AM AST. Some features may be temporarily unavailable.    ●   
💎
Pro Plan 50% Off Unlock all AI features, unlimited reports, and priority support. Upgrade
Search Center
ESC to close
navigate open Ctrl+K search
CISO Consulting
Global ransomware Multiple sectors CRITICAL 13m Global supply_chain Software Development, IT Infrastructure, Technology CRITICAL 1h Global vulnerability,data_breach,general Technology, Industrial Control Systems, Telecommunications HIGH 1h Global general Consumer Electronics and Retail MEDIUM 4h Global supply_chain Software Development and Technology HIGH 4h Global general Artificial Intelligence and Software Development LOW 5h Global general Artificial Intelligence and Cybersecurity MEDIUM 5h Global malware Software Development / Technology HIGH 6h Global vulnerability Information Technology HIGH 6h Global data_breach Water Utilities / Critical Infrastructure HIGH 6h Global ransomware Multiple sectors CRITICAL 13m Global supply_chain Software Development, IT Infrastructure, Technology CRITICAL 1h Global vulnerability,data_breach,general Technology, Industrial Control Systems, Telecommunications HIGH 1h Global general Consumer Electronics and Retail MEDIUM 4h Global supply_chain Software Development and Technology HIGH 4h Global general Artificial Intelligence and Software Development LOW 5h Global general Artificial Intelligence and Cybersecurity MEDIUM 5h Global malware Software Development / Technology HIGH 6h Global vulnerability Information Technology HIGH 6h Global data_breach Water Utilities / Critical Infrastructure HIGH 6h Global ransomware Multiple sectors CRITICAL 13m Global supply_chain Software Development, IT Infrastructure, Technology CRITICAL 1h Global vulnerability,data_breach,general Technology, Industrial Control Systems, Telecommunications HIGH 1h Global general Consumer Electronics and Retail MEDIUM 4h Global supply_chain Software Development and Technology HIGH 4h Global general Artificial Intelligence and Software Development LOW 5h Global general Artificial Intelligence and Cybersecurity MEDIUM 5h Global malware Software Development / Technology HIGH 6h Global vulnerability Information Technology HIGH 6h Global data_breach Water Utilities / Critical Infrastructure HIGH 6h
Vulnerabilities

CVE-2026-7332

High
CWE-79 — Weakness Type
Published: May 6, 2026  ·  Modified: May 13, 2026  ·  Source: NVD
CVSS v3
7.2
🔗 NVD Official
📄 Description (English)

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.

🤖 AI Executive Summary

CVE-2026-7332 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability in the LatePoint WordPress booking plugin affecting versions up to 5.5.0. Unauthenticated attackers can inject malicious scripts via the 'booking_form_page_url' parameter that persist in the database and execute for all users accessing affected pages. This vulnerability is particularly dangerous as it requires no Stripe integration and no authentication, making it accessible to any internet-facing WordPress installation using this plugin.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 10, 2026 19:25
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability poses significant risk to Saudi organizations using WordPress for booking and appointment systems, particularly in healthcare (clinics, hospitals), hospitality (hotels, resorts), professional services (consulting, legal), and e-commerce sectors. Saudi government entities and ARAMCO contractors using WordPress-based booking systems are at risk. The vulnerability could lead to credential theft, malware distribution, defacement, and compromise of customer data. Organizations under SAMA oversight using this plugin for customer-facing services face regulatory compliance violations. The lack of authentication requirement makes this particularly dangerous for publicly accessible Saudi websites.
🏢 Affected Saudi Sectors
Healthcare (clinics, hospitals, medical centers) Hospitality (hotels, resorts, tourism) Professional Services (consulting, legal, accounting) E-commerce and Retail Government and Public Sector Education (universities, training centers) Financial Services (non-banking) Real Estate and Property Management
⚖️ Saudi Risk Score (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:

1. Identify all WordPress installations using LatePoint plugin versions ≤5.5.0 across your organization

2. Disable the LatePoint plugin immediately if no patch is available

3. Review database logs and activity entries for suspicious 'booking_form_page_url' parameters containing script tags or encoded payloads

4. Audit all booking pages and forms for injected malicious content



PATCHING GUIDANCE:

1. Monitor LatePoint official repository for security updates beyond version 5.5.0

2. Once patch is released, apply immediately to all affected WordPress installations

3. Test patches in staging environment before production deployment



COMPENSATING CONTROLS (if patch unavailable):

1. Implement Web Application Firewall (WAF) rules to block requests containing script tags in 'booking_form_page_url' parameter

2. Apply strict Content Security Policy (CSP) headers: Content-Security-Policy: default-src 'self'; script-src 'self'

3. Disable plugin functionality and replace with alternative booking solution

4. Implement input validation at application level to reject URLs containing HTML/JavaScript

5. Enable WordPress security plugins (Wordfence, Sucuri) with XSS detection rules



DETECTION RULES:

1. Monitor database queries for INSERT/UPDATE operations on latepoint tables with 'booking_form_page_url' containing: <script, javascript:, onerror=, onload=, onclick=

2. Log and alert on POST requests to WordPress admin with 'booking_form_page_url' parameter

3. Monitor for latepoint_order_intent_created hook execution without valid Stripe configuration

4. Review WordPress error logs for XSS-related warnings

5. Implement SIEM rules to detect multiple users accessing same booking page with different user-agents (potential XSS exploitation)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:

1. تحديد جميع تثبيتات WordPress التي تستخدم إضافة LatePoint بإصدارات ≤5.5.0 عبر مؤسستك

2. تعطيل إضافة LatePoint فوراً إذا لم يكن هناك تصحيح متاح

3. مراجعة سجلات قاعدة البيانات والإدخالات النشطة للبحث عن معاملات 'booking_form_page_url' المريبة التي تحتوي على علامات نصية أو حمولات مشفرة

4. تدقيق جميع صفحات الحجز والنماذج للبحث عن محتوى ضار مُدرج



إرشادات التصحيح:

1. مراقبة مستودع LatePoint الرسمي للتحديثات الأمنية بعد الإصدار 5.5.0

2. عند إصدار التصحيح، طبقه فوراً على جميع تثبيتات WordPress المتأثرة

3. اختبر التصحيحات في بيئة التطوير قبل نشرها في الإنتاج



الضوابط البديلة (إذا لم يكن التصحيح متاحاً):

1. تطبيق قواعد جدار حماية تطبيقات الويب (WAF) لحجب الطلبات التي تحتوي على علامات نصية في معامل 'booking_form_page_url'

2. تطبيق رؤوس سياسة أمان المحتوى الصارمة: Content-Security-Policy: default-src 'self'; script-src 'self'

3. تعطيل وظائف الإضافة واستبدالها بحل حجز بديل

4. تطبيق التحقق من صحة الإدخال على مستوى التطبيق لرفض عناوين URL التي تحتوي على HTML/JavaScript

5. تفعيل إضافات أمان WordPress (Wordfence, Sucuri) مع قواعد كشف XSS



قواعد الكشف:

1. مراقبة استعلامات قاعدة البيانات لعمليات INSERT/UPDATE على جداول latepoint التي تحتوي على 'booking_form_page_url' تحتوي على: <script, javascript:, onerror=, onload=, onclick=

2. تسجيل والتنبيه على طلبات POST إلى WordPress admin مع معامل 'booking_form_page_url'

3. مراقبة تنفيذ خطاف latepoint_order_intent_created بدون تكوين Stripe صحيح

4. مراجعة سجلات أخطاء WordPress للتحذيرات المتعلقة بـ XSS

5. تطبيق قواعد SIEM للكشف عن وصول عدة مستخدمين إلى نفس صفحة الحجز مع وكلاء مستخدمين مختلفين (استغلال XSS المحتمل)
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships ECC 2024 A.14.2.5 - Addressing information security in supplier agreements ECC 2024 A.5.23 - Web application security controls ECC 2024 A.6.37 - Input validation and output encoding requirements
🔵 SAMA CSF
SAMA CSF 1.1 - Governance and Risk Management SAMA CSF 2.2 - Information and Communications Technology (ICT) Security SAMA CSF 2.2.1 - ICT Security Risk Assessment SAMA CSF 2.2.2 - ICT Security Controls Implementation SAMA CSF 3.1 - Incident Management and Business Continuity
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for information security ISO 27001:2022 A.8.2 - Information security awareness, education and training ISO 27001:2022 A.8.3 - Information security incident management ISO 27001:2022 A.8.22 - Restrictions on information systems access ISO 27001:2022 A.8.24 - Use of cryptography
🟣 PCI DSS v4.0.1
PCI DSS 6.5.1 - Injection flaws prevention PCI DSS 6.5.7 - Cross-site scripting (XSS) prevention PCI DSS 6.2 - Security patches and updates PCI DSS 11.3 - Penetration testing and vulnerability assessments
📊 CVSS Score
7.2
/ 10.0 — High
📊 CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Attack VectorN — None / Network
Attack ComplexityL — Low / Local
Privileges RequiredN — None / Network
User InteractionN — None / Network
ScopeC — Changed
ConfidentialityL — Low / Local
IntegrityL — Low / Local
AvailabilityN — None / Network
📋 Quick Facts
Severity High
CVSS Score7.2
CWECWE-79
EPSS0.22%
Exploit No
Patch ✗ No
Published 2026-05-06
Source Feed nvd
🇸🇦 Saudi Risk Score
8.2
/ 10.0 — Saudi Risk
Priority: CRITICAL
🏷️ Tags
CWE-79
⚡ Actions
🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details
Share this CVE
LinkedIn X / Twitter WhatsApp Telegram

💬 Comments

0
Loading comments
📣 Found this valuable?
Share it with your cybersecurity network
in LinkedIn 𝕏 X / Twitter 💬 WhatsApp ✈ Telegram
🍪 Privacy Preferences
CISO Consulting — Compliant with Saudi Personal Data Protection Law (PDPL)
We use cookies and similar technologies to provide the best experience on our platform. You can choose which types you accept.
🔒
Essential Always On
Required for the website to function properly. Cannot be disabled.
📋 Sessions, CSRF tokens, authentication, language preferences
📊
Analytics
Help us understand how visitors use the site and improve performance.
📋 Page views, session duration, traffic sources, performance metrics
⚙️
Functional
Enable enhanced features like content personalization and preferences.
📋 Dark/light theme, font size, custom dashboards, saved filters
📣
Marketing
Used to deliver content and ads relevant to your interests.
📋 Campaign tracking, retargeting, social media analytics
Privacy Policy →
CISO AI Assistant
Ask anything · Documents · Support
🔐

Introduce Yourself

Enter your details to access the full assistant

Your info is private and never shared
💬
CyberAssist
Online · responds in seconds
5 / 5
🔐 Verify Your Identity

Enter your email to receive a verification code before submitting a support request.

Enter to send · / for commands 0 / 2000
CISO AI · Powered by Anthropic Claude
✦ Quick Survey Help Us Improve CISO Consulting Your feedback shapes the future of our platform — takes less than 2 minutes.
⚠ Please answer this question to continue

How would you rate your overall experience with our platform?

Rate from 1 (poor) to 5 (excellent)

🎉
Thank you!
Your response has been recorded.