LatePoint WordPress Plugin Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the LatePoint WordPress plugin, affecting all versions up to and including 5.5.0. The issue arises from inadequate input sanitization on the customer cabinet profile update endpoint. Raw POST parameters such as first_name, last_name, phone, and notes bypass sanitization because the OsCustomerModel does not properly override the params_to_sanitize() method. This oversight allows unsanitized data to be saved directly into the database. Additionally, the output escaping in the generate_preview() function is insufficient, as it injects these unsanitized values into the notification template HTML using str_replace() without any prior escaping. Consequently, authenticated attackers with customer-level access or higher can inject arbitrary scripts into the admin notification preview panel. These scripts execute in the browser of an administrator or agent when a notification template that references certain customer variables is previewed.

Impact

Exploitation of this vulnerability allows for stored cross-site scripting, where injected scripts are executed in the context of the user viewing the affected notification template.

Reproduction

To reproduce this vulnerability, an authenticated user with customer-level access or higher can update their profile in the customer cabinet. During this process, they can include unsanitized data in the first_name, last_name, phone, or notes fields. Once the data is saved, the user can preview a notification template that references the injected variables, triggering the execution of the injected script in the admin notification preview panel.

Remediation

Users are advised to update the LatePoint WordPress plugin to version 5.5.1 or later, where this vulnerability has been patched.