Skip to main content

LatePoint Plugin CVE-2026-8176

| EUVDEUVD-2026-37060 HIGH
Improper Privilege Management (CWE-269)
2026-06-16 Wordfence GHSA-2pxw-w9w5-c6hm
7.5
CVSS 3.1 · NVD
Share

Severity by source

Vendor (Wordfence) PRIMARY
HIGH
qualitative
NVD
7.5 HIGH
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
7.5 HIGH

Network-reachable WordPress endpoints (AV:N), requires authenticated Agent role (PR:L), chaining three flaws raises complexity (AC:H), and Administrator takeover yields full C/I/A impact.

3.1 AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorNVD

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jun 16, 2026 - 10:20 vuln.today
CVE Published
Jun 16, 2026 - 09:31 cve.org
HIGH 7.5

DescriptionNVD

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator.

AnalysisAI

Privilege escalation in the LatePoint Calendar Booking plugin for WordPress (versions up to and including 5.5.1) allows an authenticated user with Agent-level access or higher to chain three independent flaws and overwrite a WordPress Administrator's password without invoking any Administrator-only API. Wordfence-reported flaw with no public exploit identified at time of analysis, though source code locations of all three vulnerable code paths are referenced in the disclosure.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain Agent-level LatePoint account
Delivery
Identify Administrator-linked customer record
Exploit
Invoke orders/customer-cabinet endpoints to reach update flow
Execution
Chain customer_model/customer_helper flaws to overwrite admin password
Persist
Authenticate as WordPress Administrator
Impact
Install backdoor or pivot

Vulnerability AssessmentAI

Exploitation Attacker must hold an authenticated LatePoint Agent role or higher on the target WordPress site (PR:L), the vulnerable LatePoint plugin must be installed and active at version ≤ 5.5.1, and at least one WordPress Administrator account must exist as a target for the password overwrite. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H, score 7.5) reflects a network-reachable but high-complexity attack that requires existing low-privilege (Agent) authentication and yields full C/I/A impact once an Administrator password is rewritten - effectively full site takeover. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises an Agent-tier LatePoint account on a target WordPress site, then issues a sequence of crafted requests through the customer cabinet and orders/customers controllers to drive the customer-update flow against a record linked to a WordPress Administrator. Because the password-change path does not re-check privilege of the target, the Administrator's password is silently overwritten, and the attacker logs in as Administrator to install backdoors or pivot. …
Remediation No vendor-released patch identified at time of analysis - the input data references vulnerable code in the 5.5.1 tag and trunk but does not confirm a fixed release version, so administrators should monitor the Wordfence advisory (https://www.wordfence.com/threat-intel/vulnerabilities/id/b8d5bb6c-2021-4fc0-bede-8da1c3fb591a) and the LatePoint plugin page on WordPress.org for an update beyond 5.5.1 and upgrade as soon as one is published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all WordPress installations running LatePoint ≤5.5.1; audit current Agent-level account assignments; restrict creation of new Agent accounts pending resolution. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-8176 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy