Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable and deterministic (AV:N/AC:L) with no user interaction, but requires an authenticated Agent account (PR:L); escalation to Administrator yields total C/I/A within the same site scope.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function of OsOrdersController, which allows an authenticated Agent to supply an arbitrary order[customer_id] and overwrite any LatePoint customer's email field (including one linked to a WordPress Administrator's account) through the public-scope customer set_data() call, combined with a missing role verification in OsAuthHelper::authorize_customer() which logs in the linked WordPress user without checking its role. This makes it possible for authenticated attackers, with custom (Agent)-level access and above, to elevate their privileges to Administrator.
Articles & Coverage 1
AnalysisAI
Privilege escalation to Administrator in the LatePoint booking plugin for WordPress (versions up to and including 5.6.3) lets an authenticated Agent-level user hijack any WordPress account by abusing an Insecure Direct Object Reference in OsOrdersController::create_or_update(). By supplying an arbitrary order[customer_id], an attacker overwrites the email of any LatePoint customer - including one tied to a WordPress Administrator - and then logs in as that user because OsAuthHelper::authorize_customer() never checks the linked account's role. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | The attacker must already hold an authenticated LatePoint Agent-level account (or a higher custom role) on the target WordPress site - this is the core prerequisite and main limiting factor, as the flaw is not anonymously exploitable. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8, High) is internally consistent with the description: network-reachable, low complexity, no user interaction, and requiring only low privilege (an authenticated Agent account), yielding full C/I/A impact because the end state is WordPress Administrator. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who holds (or is granted) a low-privilege LatePoint Agent account sends a crafted create_or_update() request to OsOrdersController with order[customer_id] set to the customer record linked to a site Administrator and an email value they control. The plugin overwrites the Administrator-linked customer's email, and the attacker then triggers the customer login flow, where authorize_customer() logs them in as the Administrator without any role check - resulting in full site takeover. … |
| Remediation | Update LatePoint to version 5.6.4 or later, the first release beyond the affected 5.6.3 and the one containing the fix documented in the WordPress plugin trac changeset (https://plugins.trac.wordpress.org/changeset/3590914/latepoint/trunk/lib/controllers/orders_controller.php and the 5.6.3→5.6.4 diff at https://plugins.trac.wordpress.org/changeset?old_path=%2Flatepoint/tags/5.6.3&new_path=%2Flatepoint/tags/5.6.4); consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/8f9db3b8-dd37-4d8b-b041-50b453858a39?source=cve for details. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Audit WordPress sites for LatePoint plugin installations (versions ≤5.6.3) and immediately restrict or eliminate Agent-level user access, or deactivate the plugin. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Esca
Privilege escalation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.5.1) allows
Payment amount manipulation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.4.0)
Insecure Direct Object Reference in LatePoint Calendar Booking Plugin for WordPress (all versions ≤ 5.6.2) enables unaut
Authorization bypass in the LatePoint Calendar Booking Plugin for WordPress (all versions through 5.6.1) permits unauthe
Cross-Site Request Forgery in the LatePoint WordPress booking plugin (all versions ≤ 5.3.2) allows unauthenticated attac
Same weakness CWE-269 – Improper Privilege Management
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40943
GHSA-9xqc-qhp9-fr5q