Description
The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow's ability to overwrite an existing customer's email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected.
Published: 2026-05-09
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The LatePoint plugin for WordPress allows an unauthenticated attacker to perform account takeover by exploiting its weak password‑recovery process. The save_connected_wordpress_user() function propagates a customer’s email address to the linked WordPress account without verifying ownership. Combined with a guest booking flow that can overwrite an existing customer’s email through phone‑based merging without authentication, an attacker can change the email address of a non‑super‑admin user that is not yet linked to LatePoint. Once the email is changed to an address controlled by the attacker, the attacker can trigger WordPress’s standard password‑reset flow and regain full control of the account.

Affected Systems

This flaw exists in LatePoint version 5.5.0 and earlier. The affected product is the LatePoint Calendar Booking Plugin for WordPress, which integrates with the WordPress user system. The vulnerability does not affect administrator accounts on single‑site installs, but any non‑super‑admin WordPress user account that is not linked to a LatePoint customer and whose account recovery settings are enabled is potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.3 places the vulnerability in the moderate range. Although the EPSS score is not available, the lack of a requirement for privileged access and the possibility of performing the exploit purely from the public face of the plugin make the risk appreciable. The flaw is not listed in the CISA KEV catalog. An attacker could interact with the plugin’s guest booking form to trigger the email overwrite and then use the normal WordPress password‑reset link to complete the account takeover.

Generated by OpenCVE AI on May 9, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LatePoint to version 5.5.1 or newer, which removes the vulnerable email merge and ensures ownership verification.
  • If upgrading is not possible, temporarily disable the plugin’s WordPress user integration, phone‑based contact merging, and customer authentication features until a fix is available.
  • After applying a fix, enforce email verification for password reset requests and restrict the password‑reset flow to authenticated users only.

Generated by OpenCVE AI on May 9, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 09 May 2026 04:45:00 +0000

Type Values Removed Values Added
First Time appeared Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress
Vendors & Products Latepoint
Latepoint latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress
Wordpress wordpress

Sat, 09 May 2026 03:00:00 +0000

Type Values Removed Values Added
Description The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow's ability to overwrite an existing customer's email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected.
Title LatePoint <= 5.5.0 - Unauthenticated Account Takeover via Weak Password Recovery Mechanism
Weaknesses CWE-640
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Latepoint Latepoint – Calendar Booking Plugin For Appointments And Events
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-09T02:25:39.060Z

Reserved: 2026-05-01T17:56:49.365Z

Link: CVE-2026-7652

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-09T03:16:15.117

Modified: 2026-05-09T03:16:15.117

Link: CVE-2026-7652

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-09T04:30:17Z

Weaknesses