Severity by source
AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Network-reachable WordPress endpoint (AV:N), contributor account required (PR:L), non-trivial exploitation conditions (AC:H), no admin interaction (UI:N), and full site takeover yields C:H/I:H/A:H.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
Contributor Privilege Escalation in LatePoint <= 5.5.1 versions.
AnalysisAI
Privilege escalation in the LatePoint WordPress plugin versions 5.5.1 and earlier allows authenticated users holding low-privileged contributor accounts to elevate to higher-privileged roles, according to a Patchstack advisory. CVSS 3.1 scores this 7.5 (High) with full confidentiality, integrity, and availability impact, though high attack complexity and required low privileges constrain trivial exploitation. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.
Technical ContextAI
LatePoint is a commercial WordPress appointment-booking and scheduling plugin that integrates with WordPress user roles to manage agents, customers, and bookings. The flaw is classified as CWE-266 (Incorrect Privilege Assignment), meaning the plugin assigns or accepts a privilege level higher than what the requesting WordPress user should be granted - typically caused by missing capability checks (current_user_can), trusting client-supplied role parameters, or improperly mapping booking/agent roles back to WordPress roles. Because LatePoint exposes booking workflows and agent management to lower-privileged users, an unsafe role assignment path lets a contributor-level account acquire capabilities normally reserved for editors or administrators within the WordPress site running the plugin.
RemediationAI
Upstream fix availability is not explicitly confirmed in the provided data; administrators should upgrade LatePoint to a version newer than 5.5.1 once the vendor publishes one and consult the Patchstack advisory at https://patchstack.com/database/wordpress/plugin/latepoint/vulnerability/wordpress-latepoint-plugin-5-5-1-privilege-escalation-vulnerability for the patched release number. Until a fixed version is installed, restrict who can register or be assigned the WordPress Contributor role and audit existing contributor accounts for unexpected capability changes, accepting that this limits legitimate contributor-driven content workflows. As a stronger compensating control, deactivate the LatePoint plugin on sites that permit open contributor registration - this disables booking functionality but eliminates the escalation path - or place the wp-admin and LatePoint AJAX/REST endpoints behind IP allowlisting or a WAF rule that blocks role-assignment parameters from non-administrator sessions.
The LatePoint plugin for WordPress is vulnerable to authentication bypass in versions up to, and including, 5.0.12. Rate
The LatePoint plugin for WordPress is vulnerable to Arbitrary User Password Change via SQL Injection in versions up to,
The LatePoint Plugin plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a
Blind SQL injection in the LatePoint WordPress appointment-booking plugin (versions up to and including 5.6.3) lets remo
Cross-Site Request Forgery (CSRF) vulnerability in Latepoint LatePoint allows Cross Site Request Forgery.9.91. Rated hig
An authorization bypass vulnerability exists in LatePoint versions up to and including 5.2.6 that allows attackers to ex
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Latepoint L
Same weakness CWE-266 – Incorrect Privilege Assignment
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-36879
GHSA-2prc-85pp-97r9