What the vulnerability does
01Description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.
Explanation of Vulnerability in Simple Terms
02Summary
LatePoint versions up to 5.4.1 contain a privilege management flaw that allows authenticated users with low-level access to read, modify, or delete sensitive data and disrupt site operations. An attacker with a standard user account can escalate their capabilities within the plugin without additional interaction. Site administrators should update immediately to a version newer than 5.4.1.
What an attacker can do
03Attacker Capabilities
Read, modify, or delete sensitive data; disrupt booking and calendar functionality.
Potential impact on your site
04Site Impact
Unauthorized access to appointment data, customer information, and booking records; potential service disruption.
Conditions required to exploit
05Prerequisites
Attacker must have a low-privilege user account on the site (e.g., customer or basic staff account).
Key dates
06Disclosure timeline
April 27, 2026
CVE published
April 28, 2026
Record updated