CVE-2026-7332: WordPress LatePoint Plugin XSS Flaw Exposes Unauthenticated Attackers

/HIGH /CVSS 7.2/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitycross-site-scripting-xsscwe-79
CVE-2026-7332: WordPress LatePoint Plugin XSS Flaw Exposes Unauthenticated Attackers

The National Vulnerability Database has identified CVE-2026-7332, a critical stored Cross-Site Scripting (XSS) vulnerability in the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress. Affecting all versions up to 5.5.0, this flaw stems from insufficient input sanitization and output escaping in the ‘booking_form_page_url’ parameter. Unauthenticated attackers can exploit this to inject malicious scripts that execute when a user visits a compromised page, posing a significant risk to site visitors.

The exploitation vector is particularly concerning as it does not require a fully configured Stripe payment integration. The National Vulnerability Database notes that the plugin logs malicious activity even when Stripe is not set up, because a key action hook fires before Stripe Connect account ID validation. This bypass significantly lowers the barrier to entry for attackers seeking to leverage this vulnerability.

Defenders should prioritize patching this vulnerability immediately. For organizations running the LatePoint plugin, upgrading to the latest version is paramount. Given the unauthenticated nature of the exploit and the low technical bar, assume compromise is possible if unpatched. Audit logs for any suspicious script injections or unauthorized booking activities.

What This Means For You

  • If your organization uses the LatePoint booking plugin on WordPress, patch to the latest version immediately. This vulnerability, CVE-2026-7332, allows unauthenticated attackers to inject scripts, potentially leading to session hijacking or credential theft by simply tricking a user into visiting a page with the injected script.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1059.007 Client-Side Execution Execution

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

CVE-2026-7332: WordPress LatePoint Plugin Stored XSS via booking_form_page_url

Sigma YAML — free preview 
title: CVE-2026-7332: WordPress LatePoint Plugin Stored XSS via booking_form_page_url
id: scw-2026-05-06-ai-1
status: experimental
level: high
description: |
  This rule detects attempts to exploit CVE-2026-7332 in the WordPress LatePoint plugin. It specifically looks for requests to 'admin-ajax.php' with the 'latepoint_save_booking_form' action and a 'booking_form_page_url' parameter containing potential XSS payloads like '<script>', 'alert(', or 'onerror='. This indicates an unauthenticated attacker attempting to inject malicious scripts into the plugin's booking forms.
author: SCW Feed Engine (AI-generated)
date: 2026-05-06
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-7332/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-uri-query|contains:
          - 'action=latepoint_save_booking_form'
      cs-uri-query|contains:
          - 'booking_form_page_url='
  selection_indicators:
      cs-uri-query|contains:
          - '<script>'
      cs-uri-query|contains:
          - 'alert('
      cs-uri-query|contains:
          - 'onerror='
  condition: selection AND selection_indicators
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-7332 Vulnerability CVE-2026-7332
CVE-2026-7332 Affected Product all

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 06, 2026 at 11:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-40001 — Code Execution

CVE-2026-40001 — There is a local privilege escalation vulnerability in the ZTE PROCESS Guard service of the cloud computer client, which may allow local arbitrary...

vulnerabilityCVEmedium-severitycode-executioncwe-269
/SCW Vulnerability Desk /MEDIUM /5.2 /⚑ 2 IOCs /⚙ 2 Sigma

CVE-2026-35255 — The Oracle Cloud Native Environment Command Line Interface P Vulnerability

CVE-2026-35255 — Vulnerability in the Oracle Cloud Native Environment Command Line Interface product of Oracle Open Source Projects. The supported versions that is affected is v2.3.2. Easily...

vulnerabilityCVEmedium-severity
/SCW Vulnerability Desk /MEDIUM /6.6 /⚑ 1 IOC /⚙ 2 Sigma

WordPress Gravity Bookings Plugin Vulnerable to SQL Injection (CVE-2026-1719)

CVE-2026-1719 — The Gravity Bookings Premium plugin for WordPress is vulnerable to SQL Injection in all versions up to, and including, 2.5.9 due to insufficient...

vulnerabilityCVEhigh-severitysql-injectioncwe-89
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 2 IOCs /⚙ 7 Sigma