Attack Vectors

CVE-2026-2324 affects the WordPress plugin LatePoint – Calendar Booking Plugin for Appointments and Events (slug: latepoint-2) in versions 5.2.7 and earlier. It is rated Medium severity (CVSS 6.1).

The primary attack path is a Cross-Site Request Forgery (CSRF) that relies on user interaction: an attacker can send a crafted link or request and trick a logged-in site administrator into clicking it or taking an action while authenticated. If successful, this can lead to changes in booking form settings and ultimately enable stored cross-site scripting (stored XSS) via injected content that persists on the site.

Security Weakness

The issue is caused by missing or incorrect nonce validation on the plugin’s reload_preview() function. In practical terms, the site may accept a forged request that appears to come from an authenticated administrator, allowing settings updates without the expected verification step that prevents CSRF.

Because the CSRF can be used to inject malicious scripts into stored settings, it can turn into stored XSS, meaning the harmful code may run repeatedly for visitors or staff who load affected pages.

Technical or Business Impacts

Brand and customer trust risk: Stored XSS can be used to display unwanted content, redirect users, or deliver convincing fake prompts that look like part of your booking experience—damaging confidence in your brand and reducing conversions.

Data and compliance exposure: Malicious scripts can potentially capture information users type into pages (for example, form fields) or hijack sessions in some scenarios. Even limited exposure can trigger incident response obligations and compliance concerns, depending on your industry and what data flows through booking pages.

Operational disruption: Unauthorized booking form settings changes can degrade the customer experience (broken booking flows, misleading confirmations, altered availability display), increasing support volume and lost revenue from missed appointments or event registrations.

Similar attacks: Large-scale web skimming and script-injection campaigns have impacted major brands in the past, including British Airways (2018 Magecart-style card skimming), Ticketmaster (2018 third-party script compromise), and Magecart campaigns broadly.

Remediation: Update LatePoint – Calendar Booking Plugin for Appointments and Events to version 5.2.8 or newer (patched). Track the CVE record at https://www.cve.org/CVERecord?id=CVE-2026-2324 and the vendor advisory source at Wordfence Threat Intelligence.