Platform
wordpress
Component
latepoint
Opgelost in
5.2.8
CVE-2026-1566 is a privilege escalation vulnerability discovered in the LatePoint – Calendar Booking Plugin for Appointments and Events WordPress plugin. This flaw allows authenticated attackers with Agent-level access or higher to gain elevated privileges, potentially compromising administrator accounts. The vulnerability affects versions from 0.0.0 up to and including 5.2.7, and a patch is available in version 5.2.8.
The core of this vulnerability lies in the plugin's customer creation process. Attackers with a LatePoint Agent role can manipulate the 'wordpressuserid' field when creating new customers. By linking a customer to an arbitrary WordPress user ID, including an administrator, the attacker can then leverage the password reset functionality to gain control of that administrator account. This effectively grants the attacker full administrative access to the WordPress site, enabling them to modify content, install malicious plugins, and compromise sensitive data. The potential impact is significant, as it allows for complete site takeover.
CVE-2026-1566 was publicly disclosed on 2026-03-02. Currently, there are no known public exploits or active campaigns targeting this vulnerability. The vulnerability is not listed on the CISA KEV catalog at the time of writing. The relatively low complexity of exploitation suggests that a public proof-of-concept could emerge, increasing the risk of exploitation.
WordPress websites utilizing the LatePoint – Calendar Booking Plugin, particularly those with multiple users and a tiered role structure, are at risk. Shared hosting environments where users have Agent-level access within the plugin are especially vulnerable, as the attacker's ability to escalate privileges is amplified.
• wordpress / composer / npm:
grep -r 'wordpress_user_id' /var/www/html/wp-content/plugins/latepoint-booking-plugin/*• wordpress / composer / npm:
wp plugin list --status=active | grep latepoint• wordpress / composer / npm:
wp plugin update latepoint-booking-plugin --all• wordpress / composer / npm:
wp plugin status latepoint-booking-plugindisclosure
Exploit Status
EPSS
0.04% (13% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-1566 is to immediately upgrade the LatePoint plugin to version 5.2.8 or later. If upgrading is not immediately feasible due to compatibility issues or testing requirements, consider temporarily restricting the 'wordpressuserid' field to prevent user manipulation. While not a complete solution, this can reduce the attack surface. Review user roles and permissions within the LatePoint plugin to ensure the principle of least privilege is enforced. Monitor WordPress logs for suspicious activity related to customer creation and password reset requests.
Update naar versie 5.2.8, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-1566 is a HIGH severity vulnerability in the LatePoint plugin for WordPress allowing attackers with Agent access to escalate privileges and potentially gain admin control.
You are affected if you are using LatePoint plugin versions 0.0.0 through 5.2.7. Upgrade to 5.2.8 to resolve the issue.
Upgrade the LatePoint plugin to version 5.2.8 or later. If immediate upgrade is not possible, temporarily restrict the 'wordpressuserid' field.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's simplicity suggests potential for future exploitation.
Refer to the official LatePoint plugin website or WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.