CVE-2026-2324

Medium CVSS: 6.1

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.7. This is due to missing or incorrect nonce validation on the reload_preview() function. This makes it possible for unauthenticated attackers to update settings and inject malicious web scripts via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

Vendor

Product

CWE

CWE-352

Yayın Tarihi

2026-03-11 02:16:03

Güncelleme

2026-03-11 13:52:47

Source Identifier

security@wordfence.com

KEV Date Added

Kategoriler

CWE-352 MEDIUM 2026

Referanslar

https://plugins.trac.wordpress.org/changeset/3463945/latepoint https://www.wordfence.com/threat-intel/vulnerabilities/id/b3ae93da-57ee-4966-83af-b8c57f9ad7d9?source=cve