📄 الوصف (الإنجليزية)
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.
🤖 ملخص AI
CVE-2026-7332 is a high-severity Stored Cross-Site Scripting (XSS) vulnerability in the LatePoint WordPress booking plugin affecting versions up to 5.5.0. Unauthenticated attackers can inject malicious scripts via the 'booking_form_page_url' parameter that persist in the database and execute for all users accessing affected pages. This vulnerability is particularly dangerous as it requires no Stripe integration and no authentication, making it accessible to any internet-facing WordPress installation using this plugin.
📄 الوصف (العربية)
🤖 التحليل الذكي آخر تحليل: May 10, 2026 19:25
🇸🇦 التأثير على المملكة العربية السعودية
This vulnerability poses significant risk to Saudi organizations using WordPress for booking and appointment systems, particularly in healthcare (clinics, hospitals), hospitality (hotels, resorts), professional services (consulting, legal), and e-commerce sectors. Saudi government entities and ARAMCO contractors using WordPress-based booking systems are at risk. The vulnerability could lead to credential theft, malware distribution, defacement, and compromise of customer data. Organizations under SAMA oversight using this plugin for customer-facing services face regulatory compliance violations. The lack of authentication requirement makes this particularly dangerous for publicly accessible Saudi websites.
🏢 القطاعات السعودية المتأثرة
Healthcare (clinics, hospitals, medical centers)
Hospitality (hotels, resorts, tourism)
Professional Services (consulting, legal, accounting)
E-commerce and Retail
Government and Public Sector
Education (universities, training centers)
Financial Services (non-banking)
Real Estate and Property Management
🎯 تقنيات MITRE ATT&CK
⚖️ درجة المخاطر السعودية (AI)
8.2
/ 10.0
🔧 Remediation Steps (English)
IMMEDIATE ACTIONS:
1. Identify all WordPress installations using LatePoint plugin versions ≤5.5.0 across your organization
2. Disable the LatePoint plugin immediately if no patch is available
3. Review database logs and activity entries for suspicious 'booking_form_page_url' parameters containing script tags or encoded payloads
4. Audit all booking pages and forms for injected malicious content
PATCHING GUIDANCE:
1. Monitor LatePoint official repository for security updates beyond version 5.5.0
2. Once patch is released, apply immediately to all affected WordPress installations
3. Test patches in staging environment before production deployment
COMPENSATING CONTROLS (if patch unavailable):
1. Implement Web Application Firewall (WAF) rules to block requests containing script tags in 'booking_form_page_url' parameter
2. Apply strict Content Security Policy (CSP) headers: Content-Security-Policy: default-src 'self'; script-src 'self'
3. Disable plugin functionality and replace with alternative booking solution
4. Implement input validation at application level to reject URLs containing HTML/JavaScript
5. Enable WordPress security plugins (Wordfence, Sucuri) with XSS detection rules
DETECTION RULES:
1. Monitor database queries for INSERT/UPDATE operations on latepoint tables with 'booking_form_page_url' containing: <script, javascript:, onerror=, onload=, onclick=
2. Log and alert on POST requests to WordPress admin with 'booking_form_page_url' parameter
3. Monitor for latepoint_order_intent_created hook execution without valid Stripe configuration
4. Review WordPress error logs for XSS-related warnings
5. Implement SIEM rules to detect multiple users accessing same booking page with different user-agents (potential XSS exploitation)
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع تثبيتات WordPress التي تستخدم إضافة LatePoint بإصدارات ≤5.5.0 عبر مؤسستك
2. تعطيل إضافة LatePoint فوراً إذا لم يكن هناك تصحيح متاح
3. مراجعة سجلات قاعدة البيانات والإدخالات النشطة للبحث عن معاملات 'booking_form_page_url' المريبة التي تحتوي على علامات نصية أو حمولات مشفرة
4. تدقيق جميع صفحات الحجز والنماذج للبحث عن محتوى ضار مُدرج
إرشادات التصحيح:
1. مراقبة مستودع LatePoint الرسمي للتحديثات الأمنية بعد الإصدار 5.5.0
2. عند إصدار التصحيح، طبقه فوراً على جميع تثبيتات WordPress المتأثرة
3. اختبر التصحيحات في بيئة التطوير قبل نشرها في الإنتاج
الضوابط البديلة (إذا لم يكن التصحيح متاحاً):
1. تطبيق قواعد جدار حماية تطبيقات الويب (WAF) لحجب الطلبات التي تحتوي على علامات نصية في معامل 'booking_form_page_url'
2. تطبيق رؤوس سياسة أمان المحتوى الصارمة: Content-Security-Policy: default-src 'self'; script-src 'self'
3. تعطيل وظائف الإضافة واستبدالها بحل حجز بديل
4. تطبيق التحقق من صحة الإدخال على مستوى التطبيق لرفض عناوين URL التي تحتوي على HTML/JavaScript
5. تفعيل إضافات أمان WordPress (Wordfence, Sucuri) مع قواعد كشف XSS
قواعد الكشف:
1. مراقبة استعلامات قاعدة البيانات لعمليات INSERT/UPDATE على جداول latepoint التي تحتوي على 'booking_form_page_url' تحتوي على: <script, javascript:, onerror=, onload=, onclick=
2. تسجيل والتنبيه على طلبات POST إلى WordPress admin مع معامل 'booking_form_page_url'
3. مراقبة تنفيذ خطاف latepoint_order_intent_created بدون تكوين Stripe صحيح
4. مراجعة سجلات أخطاء WordPress للتحذيرات المتعلقة بـ XSS
5. تطبيق قواعد SIEM للكشف عن وصول عدة مستخدمين إلى نفس صفحة الحجز مع وكلاء مستخدمين مختلفين (استغلال XSS المحتمل)
📋 خريطة الامتثال التنظيمي
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements for supplier relationships
ECC 2024 A.14.2.5 - Addressing information security in supplier agreements
ECC 2024 A.5.23 - Web application security controls
ECC 2024 A.6.37 - Input validation and output encoding requirements
🔵 SAMA CSF
SAMA CSF 1.1 - Governance and Risk Management
SAMA CSF 2.2 - Information and Communications Technology (ICT) Security
SAMA CSF 2.2.1 - ICT Security Risk Assessment
SAMA CSF 2.2.2 - ICT Security Controls Implementation
SAMA CSF 3.1 - Incident Management and Business Continuity
🟡 ISO 27001:2022
ISO 27001:2022 A.5.1 - Policies for information security
ISO 27001:2022 A.8.2 - Information security awareness, education and training
ISO 27001:2022 A.8.3 - Information security incident management
ISO 27001:2022 A.8.22 - Restrictions on information systems access
ISO 27001:2022 A.8.24 - Use of cryptography
🟣 PCI DSS v4.0.1
PCI DSS 6.5.1 - Injection flaws prevention
PCI DSS 6.5.7 - Cross-site scripting (XSS) prevention
PCI DSS 6.2 - Security patches and updates
PCI DSS 11.3 - Penetration testing and vulnerability assessments
🔗 المراجع والمصادر 11
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
🔗
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/activit...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/controllers/stripe_...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/activities_...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/activit...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/stripe_...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/activities_...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/activities_c...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/stripe_conne...
security@wordfence.com
https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/activities_helpe...
security@wordfence.com
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=352293...
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/c03ddcf0-6955-4645-b311-c3833...
security@wordfence.com