Description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator.
Published: 2026-06-16
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability chain in the LatePoint calendar booking plugin allows an authenticated user with the Agent role or higher to overwrite a WordPress Administrator’s password through an IDOR flaw in the Orders controller. This privilege escalation flaw is coupled with an unauthenticated customer‑cabinet password reset bug, rights without triggering any Administrator‑only API. Once elevated, the attacker can access, modify or delete content, install malware, and compromise the entire site. The flaw stems from improper authorization checks (CWE-269).

Affected Systems

Any WordPress site running the LatePoint calendar booking plugin in versions 5.5.1 or earlier is vulnerable. The plugin version selector is not tied to a specific WordPress core release, so all sites using these plugin releases are at risk.

Risk and Exploitability

The CVSS score of 7.5 classifies the flaw as high severity, while the EPSS score of less than 1% indicates a very low probability of widespread exploitation in the short term. The vulnerability is not currently listed in the CISA KEV catalog. Exploitation requires an authenticated Agent+ account or a user who can trigger the password reset flow, making the attack vector internal and limited to users who have any level of access to the site. If an attacker can obtain such a session, they can instantly elevate privileges, achieving full administrative control of the WordPress installation. The risk to administrators is therefore significant, especially on sites with sensitive data or critical business functions.

Generated by OpenCVE AI on June 17, 2026 at 22:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the LatePoint plugin to the latest stable version that removes the IDOR and disables the unauthenticated password reset. Apply the patch as soon as it becomes available.
  • If an immediate upgrade is not possible, uninstall the current LatePoint plugin and reinstall the newest stable release to ensure the open defects are closed.
  • Restrict or disable the Agent role for users who do not require it, and consider changing passwords for existing Agent accounts to reduce the impact of potential exploitation.

Generated by OpenCVE AI on June 17, 2026 at 22:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.php#L415 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.php#L491 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customers_controller.php#L342 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/customer_helper.php#L253 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/models/customer_model.php#L322 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/customer_cabinet_controller.php#L415 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/customer_cabinet_controller.php#L491 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/customers_controller.php#L342 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/orders_controller.php#L100 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/orders_controller.php#L124 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/helpers/customer_helper.php#L253 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/models/customer_model.php#L322 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php#L415 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php#L491 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customers_controller.php#L342 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/orders_controller.php#L100 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/orders_controller.php#L124 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/customer_helper.php#L253 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/models/customer_model.php#L322 cve-icon cve-icon
https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/models/customer_model.php#L427 cve-icon cve-icon
https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3531832%40latepoint&old=3522933%40latepoint&sfp_email=&sfph_mail= cve-icon cve-icon
https://www.wordfence.com/threat-intel/vulnerabilities/id/b8d5bb6c-2021-4fc0-bede-8da1c3fb591a?source=cve cve-icon cve-icon
History

Tue, 16 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 16 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Latepoint
Latepoint latepoint
Wordpress
Wordpress wordpress
Vendors & Products Latepoint
Latepoint latepoint
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
Description The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator.
Title LatePoint <= 5.5.1 - Authenticated (Agent+) Privilege Escalation to Administrator via IDOR in OsOrdersController::create_or_update + Unauthenticated Customer-Cabinet Password Reset
Weaknesses CWE-269
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H'}


Subscriptions

Latepoint Latepoint
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-06-16T14:53:59.949Z

Reserved: 2026-05-08T15:11:03.312Z

Link: CVE-2026-8176

cve-icon Vulnrichment

Updated: 2026-06-16T14:53:54.788Z

cve-icon NVD

Status : Deferred

Published: 2026-06-16T10:16:28.993

Modified: 2026-06-16T15:22:49.577

Link: CVE-2026-8176

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T22:45:13Z

Weaknesses
  • CWE-269

    Improper Privilege Management