A high-severity vulnerability exists in the LatePoint WordPress plugin, allowing attackers to inject malicious code into customer profile fields. When an administrator views a compromised profile, this code can execute, potentially leading to the theft of administrative credentials, website defacement, or the compromise of sensitive customer data. Organizations using this plugin are at risk of a full website takeover if this vulnerability is exploited.

This vulnerability is a Stored Cross-Site Scripting (XSS) flaw. An attacker can create or modify a customer profile and inject malicious JavaScript code into input fields (e.g., name, address, notes). The application fails to properly sanitize this user-supplied input before storing it in the database. When a privileged user, such as an administrator, views the compromised customer profile in the WordPress dashboard, the malicious script is rendered by the page and executes within the administrator's browser, inheriting their permissions.

This vulnerability is rated as High severity with a CVSS score of 7.2. Successful exploitation could lead to significant negative business impacts. An attacker could use this flaw to steal an administrator's session cookies, allowing them to hijack the administrator's session and gain full control over the WordPress site. This could result in the theft of sensitive customer appointment data, website defacement, installation of backdoors, or redirection of users to malicious websites, leading to severe reputational damage, loss of customer trust, and potential regulatory fines.

Immediate Action: Immediately update the "LatePoint – Calendar Booking Plugin for Appointments and Events" to the latest patched version (a version higher than 5). If the plugin is not essential for business operations, consider deactivating and removing it until it can be safely updated.

Proactive Monitoring: Monitor web server access logs for suspicious POST requests to customer profile pages containing HTML script tags (e.g., <script>, onerror=, onload=). Regularly audit customer profile data directly in the database for stored scripts. Implement alerts for unusual administrative activities, such as plugin installation or user creation from unexpected IP addresses.

Compensating Controls: If patching is not immediately possible, deploy a Web Application Firewall (WAF) with rulesets designed to detect and block XSS attacks. Implement a strict Content Security Policy (CSP) on the WordPress admin area to prevent the execution of untrusted inline scripts, which can mitigate the impact of an XSS injection.

Public Exploit Available: false

Given the high severity (CVSS 7.2) and the potential for a full site compromise, it is strongly recommended that organizations prioritize applying the vendor-supplied patch for the LatePoint plugin immediately. Although there is no evidence of active exploitation, the risk of an administrator account takeover presents a critical threat. After patching, organizations should perform a security review to ensure no malicious profiles were created prior to the update and to verify that no unauthorized administrative changes have occurred.