CVE-2025-6815
📋 TL;DR
This stored XSS vulnerability in the LatePoint WordPress plugin allows authenticated administrators to inject malicious scripts into website pages. The injected scripts execute whenever users visit compromised pages, potentially leading to session hijacking or malware distribution. Only WordPress multi-site installations and sites with unfiltered_html disabled are affected.
💻 Affected Systems
- LatePoint – Calendar Booking Plugin for Appointments and Events
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could steal administrator credentials, redirect users to malicious sites, install backdoors, or deface the website.
Likely Case
Attackers with compromised admin accounts inject malicious scripts to steal user session cookies or display unwanted content.
If Mitigated
With proper input validation and output escaping, no script injection occurs and user data remains protected.
🎯 Exploit Status
Requires administrator-level access to WordPress, making exploitation more difficult than unauthenticated vulnerabilities.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Version after 5.1.94
Vendor Advisory: https://wordpress.org/plugins/latepoint/#developers
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find LatePoint plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress repository and manually update.
🔧 Temporary Workarounds
Enable unfiltered_html capability
WordPressEnable the unfiltered_html capability for administrators, which prevents this vulnerability from being exploitable.
Add to wp-config.php: define('DISALLOW_UNFILTERED_HTML', false);
Disable plugin
WordPressTemporarily disable the LatePoint plugin until patched.
Navigate to WordPress admin → Plugins → Installed Plugins → LatePoint → Deactivate
🧯 If You Can't Patch
- Implement strict access controls for administrator accounts and enable multi-factor authentication.
- Deploy a web application firewall (WAF) with XSS protection rules and monitor for suspicious activity.
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → Installed Plugins → LatePoint version. If version is 5.1.94 or lower, you are vulnerable.Check Version:
wp plugin list --name=latepoint --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify LatePoint plugin version is higher than 5.1.94 in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual POST requests to admin-ajax.php with service[name] parameter containing script tags
- Multiple failed login attempts followed by successful admin login
Network Indicators:
- Unexpected JavaScript in HTTP responses from booking pages
- External script loads from unusual domains
SIEM Query:
source="wordpress" AND (url="*admin-ajax.php*" AND post_data="*service[name]*")🔗 References
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3366851%40latepoint&new=3366851%40latepoint&sfp_email=&sfph_mail=
- https://wordpress.org/plugins/latepoint/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/28e9c77c-5c36-4449-ab90-86f2385ba1ae?source=cve
