CVE-2026-6741 HIGH

CVE-2026-6741: LatePoint <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability

Vendor Latepoint
Product LatePoint – Calendar Booking Plugin for Appointments and Events
Weakness CWE-269
Published April 27, 2026
Last update April 28, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.

Explanation of Vulnerability in Simple Terms

02Summary

LatePoint versions up to 5.4.1 contain a privilege management flaw that allows authenticated users with low-level access to read, modify, or delete sensitive data and disrupt site operations. An attacker with a standard user account can escalate their capabilities within the plugin without additional interaction. Site administrators should update immediately to a version newer than 5.4.1.

What an attacker can do

03Attacker Capabilities

Read, modify, or delete sensitive data; disrupt booking and calendar functionality.

Potential impact on your site

04Site Impact

Unauthorized access to appointment data, customer information, and booking records; potential service disruption.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site (e.g., customer or basic staff account).

Key dates

06Disclosure timeline

April 27, 2026 CVE published
April 28, 2026 Record updated