The LatePoint plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to and including 5.5.0. This is due to insufficient input sanitization on the customer cabinet profile update endpoint — where raw POST parameters (first_name, last_name, phone, notes) bypass sanitization because OsCustomerModel does not override params_to_sanitize(), causing set_data() to store unsanitized values verbatim in the database — combined with insufficient output escaping in generate_preview(), which injects those stored values into notification template HTML via str_replace() without any esc_html() call before echoing the result. This makes it possible for authenticated attackers with customer-level access or above to inject arbitrary web scripts into the admin notification preview panel that execute in an administrator's or agent's browser whenever a notification template referencing customer variables such as {{customer_full_name}}, {{customer_first_name}}, {{customer_last_name}}, {{customer_phone}}, or {{customer_notes}} is previewed.
The LatePoint WordPress plugin versions up to 5.5.0 contain a Stored Cross-Site Scripting vulnerability in the customer cabinet profile update endpoint due to insufficient input sanitization and output escaping. Authenticated attackers with customer-level access can inject malicious scripts that execute in administrators' browsers when viewing notification templates.
ثغرة Stored XSS في إضافة LatePoint للووردبريس تسمح للمهاجمين المصرحين بمستوى العميل بحقن نصوص برمجية ضارة في حقول ملف العميل. تُخزن البيانات غير المعالجة في قاعدة البيانات وتُنفذ عند عرض معاينات الإشعارات من قبل المسؤولين.
LatePoint WordPress plugin up to version 5.5.0 is vulnerable to Stored XSS attacks through the customer profile update feature. Attackers with customer access can inject malicious code that executes when administrators view notification previews.
Update LatePoint plugin to version 5.5.1 or later immediately. Implement input validation and sanitization for all customer profile fields (first_name, last_name, phone, notes). Apply output escaping using esc_html() or equivalent functions before rendering user-supplied data in notification templates. Review and audit all customer-facing input endpoints for similar vulnerabilities.
قم بتحديث إضافة LatePoint إلى الإصدار 5.5.1 أو أحدث فوراً. طبق التحقق من صحة المدخلات وتنظيفها لجميع حقول ملف العميل. استخدم دوال الهروب من الإخراج مثل esc_html() قبل عرض البيانات المدخلة من المستخدمين. راجع جميع نقاط الإدخال الموجهة للعملاء للتحقق من وجود ثغرات مشابهة.