Description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the 'wordpress_user_id' field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password.
Published: 2026-03-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Immediate Patch
AI Analysis

Impact

The LatePoint plugin for WordPress is vulnerable to privilege escalation through its password reset feature. The flaw allows any user with a LatePoint Agent role to specify the 'wordpress_user_id' when creating a new customer. By assigning an arbitrary user ID—such as that of an administrator—an authenticated attacker can subsequently reset the password for that account, granting elevated privileges and full control over the site.

Affected Systems

LatePoint – Calendar Booking Plugin for Appointments and Events, all releases up to and including version 5.2.7, on WordPress sites that have any of these plugin versions installed.

Risk and Exploitability

The vulnerability carries a CVSS score of 8.8 and a very low EPSS rate of less than 1 percent, and it is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is an authenticated user holding an Agent role, who can create customers and reset passwords. Based on the description, it is inferred that an attacker only needs an existing Agent account to elevate privileges by linking a customer to an arbitrary WordPress user ID such as that of an administrator. The exploitation path requires no external access beyond valid authentication, making the risk medium to high for sites that expose the Agent role to untrusted users.

Generated by OpenCVE AI on April 15, 2026 at 16:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LatePoint plugin to version 5.2.8 or newer to eliminate the vulnerability.
  • Temporarily disable password reset functionality for agents via plugin settings or a custom code snippet until the patch is applied.
  • After updating, audit customer data to ensure no Agent-created records are linked to privileged user IDs and reset any affected passwords immediately.

Generated by OpenCVE AI on April 15, 2026 at 16:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 04 Mar 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress
Vendors & Products Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress

Tue, 03 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 23:30:00 +0000

Type Values Removed Values Added
Description The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the 'wordpress_user_id' field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password.
Title LatePoint <= 5.2.7 - Authenticated (Agent+) Privilege Escalation
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Latepoint Latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:21:48.917Z

Reserved: 2026-01-28T20:18:56.426Z

Link: CVE-2026-1566

cve-icon Vulnrichment

Updated: 2026-03-03T01:52:16.812Z

cve-icon NVD

Status : Deferred

Published: 2026-03-03T00:15:55.133

Modified: 2026-04-22T21:26:58.303

Link: CVE-2026-1566

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T17:00:07Z

Weaknesses