Skip to main content

LatePoint WordPress Plugin CVE-2026-7652

| EUVDEUVD-2026-28881 MEDIUM
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-05-09 Wordfence GHSA-25hw-9r4r-54w4
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 09, 2026 - 03:30 vuln.today
CVE Published
May 09, 2026 - 02:25 nvd
MEDIUM 5.3

DescriptionCVE.org

The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow's ability to overwrite an existing customer's email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected.

AnalysisAI

LatePoint plugin for WordPress versions up to 5.5.0 allows unauthenticated attackers to perform account takeover of non-super-admin WordPress users by exploiting a weak password recovery mechanism in the guest booking flow. The vulnerability chains two flaws: the plugin's save_connected_wordpress_user() function updates WordPress user emails via wp_update_user() without ownership verification, and the guest booking flow permits email overwrites through phone-based customer merging without authentication. Attackers can overwrite a target user's email address and then trigger WordPress's standard password reset to gain full account access. No public exploit code has been identified at time of analysis, but exploitation requires only that the plugin be configured with WordPress user integration enabled, phone-based contact merging enabled, and customer authentication disabled.

Technical ContextAI

The vulnerability exploits two distinct flaws in the LatePoint plugin's architecture. First, the save_connected_wordpress_user() function (referenced in customer_helper.php line 238) uses wp_update_user() to synchronize LatePoint customer email addresses directly to linked WordPress user accounts without verifying that the person initiating the change owns that WordPress account. Second, the guest booking flow (steps_helper.php lines 1940 and 1972) implements a phone-based customer merge feature that allows existing customers' email addresses to be overwritten without authentication or authorization checks. The CWE-640 classification (Weak Password Recovery Mechanism) indicates the root cause: the plugin improperly delegates password recovery to WordPress's native reset flow while allowing email hijacking upstream. This creates a privilege escalation path where an unauthenticated attacker can modify a legitimate user's email to an attacker-controlled address, then use WordPress's password reset functionality (which is typically unrestricted for unauthenticated users) to regain access. The vulnerability only affects WordPress users not yet linked to a LatePoint customer and excludes administrator accounts on single-site installs due to WordPress's default protections for administrative users.

RemediationAI

Upgrade LatePoint to version 5.5.1 or later, which includes fixes to the save_connected_wordpress_user() function and email merge logic to enforce ownership verification before updating WordPress user emails. If immediate patching is not possible, disable phone-based customer contact merging in the LatePoint plugin settings until the patch can be applied; this eliminates the email overwrite vector while preserving other booking functionality. Alternatively, enable customer authentication in the guest booking flow configuration, which requires visitors to verify their identity before merging customer records and prevents unauthenticated email manipulation. For high-sensitivity deployments, disable WordPress user integration in LatePoint settings entirely if your workflow does not depend on automatic WordPress account synchronization; this removes the save_connected_wordpress_user() code path from execution. Be aware that disabling WordPress integration may impact user experience if your site relies on automatic account creation or synchronization. Review affected user accounts (non-super-admin WordPress users created within LatePoint guest booking flow) for unauthorized email changes or password reset activity after the vulnerability disclosure date, and force password resets for any accounts that show signs of compromise. Wordfence has published a detailed advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/bdaa32cd-a148-4554-9fd5-f5b0a5b2d1c3?source=cve with additional context and detection guidance.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-7652 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy