LatePoint – Calendar Booking Plugin for Appointments and Events

Vulnerabilities 27Slug latepointLatest version 5.5.1WordPress.org →

Minimum safe version

5.5.1

Update to 5.5.1 or later to address 25 fixable vulnerabilities

Latest available5.5.1 ⚠ 2 vulnerabilities have no fix
High 8.8
2026-04-27< 5.4.2

CVE-2026-6741

CVEEUVD
N/A
2026-04-27< 5.4.2

LatePoint <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability

Wordfence
N/A
2026-02-02< 5.2.6

LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.5 - Unauthenticated Stored Cross-Site Scripting

WordfenceCVE
N/A
2026-02-11< 5.2.7

LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.6 - Missing Authorization to Booking Details Exposure

WordfenceCVE
N/A
2026-03-02< 5.2.8

LatePoint <= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import

WordfenceCVE
N/A
2026-03-02< 5.2.8

LatePoint <= 5.2.7 - Authenticated (Agent+) Privilege Escalation

WordfenceCVE
N/A
2026-03-10< 5.2.8

LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting

WordfenceCVE
N/A
2026-04-07< 5.3.1

LatePoint <= 5.3.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

WordfenceCVE
High 8.8
2025-09-30< 5.2.0

LatePoint <= 5.1.94 - Cross-Site Request Forgery to Account Takeover via change_password() Function

EUVDWordfenceCVE
High 8.2
2025-09-30< 5.2.0

LatePoint <= 5.1.94 - Unauthenticated Authentication Bypass via load_step Function

EUVDWordfenceCVE
Medium 6.4
2025-09-30< 5.2.0

LatePoint <= 5.1.94 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

EUVDWordfenceCVE
Medium 5.5
2025-09-30< 5.2.0

LatePoint <= 5.1.94 - Authenticated (Administrator+) Stored Cross-Site Scripting

EUVDWordfenceCVE
Critical 9.8
2025-08-13< 5.1.94

LatePoint <= 5.1.93 - Unauthenticated Local File Inclusion

EUVDWordfenceCVE
Medium 5.3
2025-05-14< 5.1.93

Latepoint <= 5.1.92 - Unauthenticated Insecure Direct Object Reference

EUVDWordfenceCVE
Medium 5.4 Unfixed
2024-09-17≤ 4.9.91

WordPress LatePoint plugin <= 4.9.91 - Cross Site Scripting (XSS) vulnerability

CVEPatchstackWordfenceWPScan
High 8.8 Unfixed
2024-10-21≤ 4.9.91

WordPress LatePoint plugin <= 4.9.91 - Cross Site Request Forgery (CSRF) vulnerability

CVEPatchstackWordfenceWPScan