Cyber Posture

CVE-2026-7332

High

Published: 06 May 2026

Published
06 May 2026
Modified
06 May 2026
KEV Added
Patch
CVSS Score 7.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
EPSS Score 0.0016 36.7th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'booking_form_page_url' parameter in all versions up to, and including, 5.5.0 due to insufficient input sanitization and output escaping. This…

more

makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The malicious activity log entry is written to the database even when Stripe is not configured, because the latepoint_order_intent_created action hook fires before the Stripe Connect account ID is validated, meaning a fully functional Stripe integration is not required for exploitation.

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CA-8 Penetration Testing
addresses: CWE-79

Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.

SI-10 Information Input Validation
addresses: CWE-79

Validates web inputs to reject script-related content that could produce XSS.

SI-15 Information Output Filtering
addresses: CWE-79

Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.

Security SummaryAI

CVE-2026-7332 is a stored cross-site scripting (XSS) vulnerability in the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress. It affects all versions up to and including 5.5.0 due to insufficient input sanitization and output escaping of the 'booking_form_page_url' parameter. This flaw allows arbitrary web scripts to be injected into pages, which execute whenever a user accesses an affected page. The vulnerability is associated with CWE-79 and has a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N).

Unauthenticated attackers can exploit the vulnerability by submitting a malicious payload via the 'booking_form_page_url' parameter, resulting in a stored script that executes in users' browsers upon page access. Exploitation does not require a fully functional Stripe integration, as a malicious activity log entry is written to the database even without Stripe configuration. This occurs because the latepoint_order_intent_created action hook fires before validation of the Stripe Connect account ID.

References provided include WordPress plugin trac browser links to vulnerable code in versions 5.4.1 and 5.5.0, specifically activities_controller.php at line 214, stripe_connect_controller.php at line 260, and activities_helper.php at line 83. These highlight the unsanitized handling paths enabling the stored XSS.

Details

CWE(s)
CWE-79

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
attack.mitre.org →
T1059.007 JavaScript Execution
Adversaries may abuse various implementations of JavaScript for execution.
attack.mitre.org →
T1189 Drive-by Compromise Initial Access
Adversaries may gain access to a system through a user visiting a website over the normal course of browsing.
attack.mitre.org →
Why these techniques?

Stored XSS in public-facing WordPress plugin directly enables unauthenticated exploitation of the app (T1190), client-side script execution via injected JS (T1203, T1059.007), and drive-by compromise for visitors loading affected pages (T1189).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References