Skip to main content

LatePoint CVE-2026-49083

| EUVDEUVD-2026-36879 HIGH
Incorrect Privilege Assignment (CWE-266)
2026-06-15 Patchstack GHSA-2prc-85pp-97r9
7.5
CVSS 3.1 · Vendor: Patchstack
Share

Severity by source

Vendor (Patchstack) PRIMARY
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Network-reachable WordPress endpoint (AV:N), contributor account required (PR:L), non-trivial exploitation conditions (AC:H), no admin interaction (UI:N), and full site takeover yields C:H/I:H/A:H.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Patchstack).

CVSS VectorVendor: Patchstack

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
Jun 15, 2026 - 21:36 vuln.today

DescriptionCVE.org

Contributor Privilege Escalation in LatePoint <= 5.5.1 versions.

AnalysisAI

Privilege escalation in the LatePoint WordPress plugin versions 5.5.1 and earlier allows authenticated users holding low-privileged contributor accounts to elevate to higher-privileged roles, according to a Patchstack advisory. CVSS 3.1 scores this 7.5 (High) with full confidentiality, integrity, and availability impact, though high attack complexity and required low privileges constrain trivial exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Technical ContextAI

LatePoint is a commercial WordPress appointment-booking and scheduling plugin that integrates with WordPress user roles to manage agents, customers, and bookings. The flaw is classified as CWE-266 (Incorrect Privilege Assignment), meaning the plugin assigns or accepts a privilege level higher than what the requesting WordPress user should be granted - typically caused by missing capability checks (current_user_can), trusting client-supplied role parameters, or improperly mapping booking/agent roles back to WordPress roles. Because LatePoint exposes booking workflows and agent management to lower-privileged users, an unsafe role assignment path lets a contributor-level account acquire capabilities normally reserved for editors or administrators within the WordPress site running the plugin.

RemediationAI

Upstream fix availability is not explicitly confirmed in the provided data; administrators should upgrade LatePoint to a version newer than 5.5.1 once the vendor publishes one and consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/latepoint/vulnerability/wordpress-latepoint-plugin-5-5-1-privilege-escalation-vulnerability for the patched release number. Until a fixed version is installed, restrict who can register or be assigned the WordPress Contributor role and audit existing contributor accounts for unexpected capability changes, accepting that this limits legitimate contributor-driven content workflows. As a stronger compensating control, deactivate the LatePoint plugin on sites that permit open contributor registration - this disables booking functionality but eliminates the escalation path - or place the wp-admin and LatePoint AJAX/REST endpoints behind IP allowlisting or a WAF rule that blocks role-assignment parameters from non-administrator sessions.

Share

CVE-2026-49083 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy