Skip to main content

LatePoint EUVDEUVD-2026-40943

| CVE-2026-13228 HIGH
Improper Privilege Management (CWE-269)
2026-07-01 Wordfence GHSA-9xqc-qhp9-fr5q
8.8
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable and deterministic (AV:N/AC:L) with no user interaction, but requires an authenticated Agent account (PR:L); escalation to Administrator yields total C/I/A within the same site scope.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 11:06 vuln.today
CVE Published
Jul 01, 2026 - 09:32 cve.org
HIGH 8.8

DescriptionCVE.org

The LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function of OsOrdersController, which allows an authenticated Agent to supply an arbitrary order[customer_id] and overwrite any LatePoint customer's email field (including one linked to a WordPress Administrator's account) through the public-scope customer set_data() call, combined with a missing role verification in OsAuthHelper::authorize_customer() which logs in the linked WordPress user without checking its role. This makes it possible for authenticated attackers, with custom (Agent)-level access and above, to elevate their privileges to Administrator.

AnalysisAI

Privilege escalation to Administrator in the LatePoint booking plugin for WordPress (versions up to and including 5.6.3) lets an authenticated Agent-level user hijack any WordPress account by abusing an Insecure Direct Object Reference in OsOrdersController::create_or_update(). By supplying an arbitrary order[customer_id], an attacker overwrites the email of any LatePoint customer - including one tied to a WordPress Administrator - and then logs in as that user because OsAuthHelper::authorize_customer() never checks the linked account's role. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate as LatePoint Agent
Delivery
Submit create_or_update with arbitrary order[customer_id]
Exploit
Overwrite Administrator-linked customer email
Execution
Trigger authorize_customer login flow
Persist
Log in as WordPress Administrator
Impact
Full site takeover

Vulnerability AssessmentAI

Exploitation The attacker must already hold an authenticated LatePoint Agent-level account (or a higher custom role) on the target WordPress site - this is the core prerequisite and main limiting factor, as the flaw is not anonymously exploitable. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8, High) is internally consistent with the description: network-reachable, low complexity, no user interaction, and requiring only low privilege (an authenticated Agent account), yielding full C/I/A impact because the end state is WordPress Administrator. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds (or is granted) a low-privilege LatePoint Agent account sends a crafted create_or_update() request to OsOrdersController with order[customer_id] set to the customer record linked to a site Administrator and an email value they control. The plugin overwrites the Administrator-linked customer's email, and the attacker then triggers the customer login flow, where authorize_customer() logs them in as the Administrator without any role check - resulting in full site takeover. …
Remediation Update LatePoint to version 5.6.4 or later, the first release beyond the affected 5.6.3 and the one containing the fix documented in the WordPress plugin trac changeset (https://plugins.trac.wordpress.org/changeset/3590914/latepoint/trunk/lib/controllers/orders_controller.php and the 5.6.3→5.6.4 diff at https://plugins.trac.wordpress.org/changeset?old_path=%2Flatepoint/tags/5.6.3&new_path=%2Flatepoint/tags/5.6.4); consult the Wordfence advisory at https://www.wordfence.com/threat-intel/vulnerabilities/id/8f9db3b8-dd37-4d8b-b041-50b453858a39?source=cve for details. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Audit WordPress sites for LatePoint plugin installations (versions ≤5.6.3) and immediately restrict or eliminate Agent-level user access, or deactivate the plugin. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40943 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy