Description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.
Published: 2026-04-27
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation to Administrator
Action: Immediate Patch
AI Analysis

Impact

The vulnerability arises from a missing authorization check in the connect-customer-to-wp-user ability of LatePoint. An authenticated user who holds the latepoint_agent role can call the execute() method with only the customer__edit capability, which fails to confirm that the target WordPress user ID is a privileged account. Through this flaw the attacker can associate any LatePoint customer record with an administrator’s WordPress account and then trigger the normal customer password‑reset process, ultimately allowing the attacker to take full control of the site.

Affected Systems

LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress, versions 5.4.1 and earlier.

Risk and Exploitability

The CVSS score of 8.8 signals a high‑severity vulnerability. Exploitation requires only an authenticated WordPress account possessing the default latepoint_agent role; no additional privileges or external access are needed. The lack of an authorization check provides a clear and direct path for privilege escalation. EPSS data is unavailable and the issue is not listed in CISA’s KEV catalog, but the capacity for an attacker to seize administrative credentials makes immediate attention essential.

Generated by OpenCVE AI on April 28, 2026 at 19:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LatePoint plugin to version 5.4.2 or later where the connect-customer-to-wp-user ability correctly verifies the target user’s privileges.
  • If an immediate update is not feasible, remove or disable the latepoint_agent role from any users who do not need it, or unfetter the customer__edit capability for that role.
  • Prompt all administrator accounts to reset their passwords and audit the customer records to ensure no user IDs are linked to privileged WordPress accounts.

Generated by OpenCVE AI on April 28, 2026 at 19:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 02:45:00 +0000

Type Values Removed Values Added
First Time appeared Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress
Vendors & Products Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress

Mon, 27 Apr 2026 20:00:00 +0000

Type Values Removed Values Added
Description The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.
Title LatePoint <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Latepoint Latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-28T14:49:46.116Z

Reserved: 2026-04-21T11:06:48.322Z

Link: CVE-2026-6741

cve-icon Vulnrichment

Updated: 2026-04-28T14:49:06.855Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T20:16:28.580

Modified: 2026-04-27T20:21:52.070

Link: CVE-2026-6741

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:45:07Z

Weaknesses