プラットフォーム
wordpress
コンポーネント
latepoint
修正版
5.2.8
CVE-2026-1566 is a privilege escalation vulnerability discovered in the LatePoint – Calendar Booking Plugin for Appointments and Events WordPress plugin. This flaw allows authenticated attackers with Agent-level access or higher to gain elevated privileges, potentially compromising administrator accounts. The vulnerability affects versions from 0.0.0 up to and including 5.2.7, and a patch is available in version 5.2.8.
The core of this vulnerability lies in the plugin's customer creation process. Attackers with a LatePoint Agent role can manipulate the 'wordpressuserid' field when creating new customers. By linking a customer to an arbitrary WordPress user ID, including an administrator, the attacker can then leverage the password reset functionality to gain control of that administrator account. This effectively grants the attacker full administrative access to the WordPress site, enabling them to modify content, install malicious plugins, and compromise sensitive data. The potential impact is significant, as it allows for complete site takeover.
CVE-2026-1566 was publicly disclosed on 2026-03-02. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The relatively low complexity of exploitation suggests that a public proof-of-concept could emerge, increasing the risk of exploitation.
WordPress websites utilizing the LatePoint – Calendar Booking Plugin, particularly those with multiple users and a tiered role structure, are at risk. Shared hosting environments where users have Agent-level access within the plugin are especially vulnerable, as the attacker's ability to escalate privileges is amplified.
• wordpress / composer / npm:
grep -r 'wordpress_user_id' /var/www/html/wp-content/plugins/latepoint-booking-plugin/*• wordpress / composer / npm:
wp plugin list --status=active | grep latepoint• wordpress / composer / npm:
wp plugin update latepoint-booking-plugin --all• wordpress / composer / npm:
wp plugin status latepoint-booking-plugindisclosure
エクスプロイト状況
EPSS
0.04% (13% パーセンタイル)
CISA SSVC
CVSS ベクトル
The primary mitigation for CVE-2026-1566 is to immediately upgrade the LatePoint plugin to version 5.2.8 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting the 'wordpressuserid' field to prevent user manipulation. While not a complete solution, this can reduce the attack surface. Review user roles and permissions within the LatePoint plugin to ensure the principle of least privilege is enforced. Monitor WordPress logs for suspicious activity related to customer creation and password reset requests.
バージョン5.2.8、またはそれ以降の修正バージョンにアップデートしてください
脆弱性分析と重要アラートをメールでお届けします。
CVE-2026-1566 is a HIGH severity vulnerability in the LatePoint plugin for WordPress allowing attackers with Agent access to escalate privileges and potentially gain admin control.
You are affected if you are using LatePoint plugin versions 0.0.0 through 5.2.7. Upgrade to 5.2.8 to resolve the issue.
Upgrade the LatePoint plugin to version 5.2.8 or later. If immediate upgrade is not possible, temporarily restrict the 'wordpressuserid' field.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's simplicity suggests potential for future exploitation.
Refer to the official LatePoint plugin website or WordPress plugin repository for the latest advisory and update information.
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。
依存関係ファイルをアップロードすれば、このCVEや他のCVEがあなたに影響するか即座にわかります。