CVE-2026-1566
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the 'wordpress_user_id' field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password.
Analysis
Authenticated agents in the LatePoint WordPress plugin versions up to 5.2.7 can arbitrarily link customer accounts to any user ID during account creation, enabling privilege escalation to administrator accounts. An attacker with agent-level access can exploit this to reset an administrator's password and gain full site control. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all LatePoint Agent accounts and restrict access to only essential personnel; document current Agent-level users and their recent activities. Within 7 days: Disable the LatePoint plugin entirely or restrict Agent role access through WordPress user management; implement enhanced monitoring on customer creation events. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today