{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/wordfence/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.2,"id":"CVE-2026-7448"}],"_cs_exploited":false,"_cs_products":["LatePoint – Calendar Booking Plugin for Appointments and Events \u003c= 5.5.0"],"_cs_severities":["medium"],"_cs_tags":["wordpress","xss","cve-2026-7448"],"_cs_type":"advisory","_cs_vendors":["Wordfence"],"content_html":"\u003cp\u003eCVE-2026-7448 identifies a stored cross-site scripting (XSS) vulnerability in the LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress. The vulnerability exists due to insufficient input sanitization and output escaping of the \u0026lsquo;first_name\u0026rsquo; parameter. This flaw allows unauthenticated attackers to inject arbitrary JavaScript code into the WordPress site. Successful exploitation of this vulnerability enables attackers to execute malicious scripts in a user\u0026rsquo;s browser when they access the affected page. This can lead to session hijacking, defacement of the website, or redirection to malicious sites. All versions of the LatePoint plugin up to and including 5.5.0 are affected.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker crafts a malicious request containing JavaScript code in the \u003ccode\u003efirst_name\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted request to the WordPress server hosting the vulnerable LatePoint plugin.\u003c/li\u003e\n\u003cli\u003eThe LatePoint plugin processes the request without proper sanitization of the \u003ccode\u003efirst_name\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eThe unsanitized input is stored in the WordPress database.\u003c/li\u003e\n\u003cli\u003eA user accesses a page that displays the stored data from the \u003ccode\u003efirst_name\u003c/code\u003e field.\u003c/li\u003e\n\u003cli\u003eThe malicious JavaScript code is executed in the user\u0026rsquo;s browser.\u003c/li\u003e\n\u003cli\u003eThe attacker can potentially steal cookies, redirect the user to a malicious website, or deface the website.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability can lead to a variety of negative consequences, including account compromise, defacement of the website, and the potential spread of malware to users. The vulnerability affects all users of the LatePoint plugin up to version 5.5.0. Given the popularity of WordPress and the LatePoint plugin, a large number of websites are potentially vulnerable.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade the LatePoint – Calendar Booking Plugin for Appointments and Events to a version greater than 5.5.0 to patch CVE-2026-7448.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect LatePoint XSS Attempt\u003c/code\u003e to your SIEM to detect potential exploitation attempts.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests containing JavaScript code in the \u003ccode\u003efirst_name\u003c/code\u003e parameter.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T08:16:04Z","date_published":"2026-05-06T08:16:04Z","id":"/briefs/2026-05-latepoint-xss/","summary":"The LatePoint WordPress plugin is vulnerable to stored cross-site scripting (XSS) via the 'first_name' parameter, affecting versions up to 5.5.0, allowing unauthenticated attackers to inject malicious scripts.","title":"LatePoint WordPress Plugin Vulnerable to Stored XSS (CVE-2026-7448)","url":"https://feed.craftedsignal.io/briefs/2026-05-latepoint-xss/"}],"language":"en","title":"CraftedSignal Threat Feed — Wordfence","version":"https://jsonfeed.org/version/1.1"}