Impact
The vulnerability chain in the LatePoint calendar booking plugin allows an authenticated user with the Agent role or higher to overwrite a WordPress Administrator’s password through an IDOR flaw in the Orders controller. This privilege escalation flaw is coupled with an unauthenticated customer‑cabinet password reset bug, rights without triggering any Administrator‑only API. Once elevated, the attacker can access, modify or delete content, install malware, and compromise the entire site. The flaw stems from improper authorization checks (CWE-269).
Affected Systems
Any WordPress site running the LatePoint calendar booking plugin in versions 5.5.1 or earlier is vulnerable. The plugin version selector is not tied to a specific WordPress core release, so all sites using these plugin releases are at risk.
Risk and Exploitability
The CVSS score of 7.5 classifies the flaw as high severity, while the EPSS score of less than 1% indicates a very low probability of widespread exploitation in the short term. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an authenticated Agent+ account or a user who can trigger the password reset flow, making the attack vector internal and limited to users who have any level of access to the site. If an attacker can obtain such a session, they can instantly elevate privileges, achieving full administrative control of the WordPress installation. The risk to administrators is therefore significant, especially on sites with sensitive data or critical business functions.
OpenCVE Enrichment