CVE-2026-1566
📋 TL;DR
This vulnerability allows authenticated attackers with Agent-level access in the LatePoint WordPress plugin to escalate privileges by linking customer accounts to arbitrary WordPress user IDs, including administrators, then resetting passwords. All WordPress sites using LatePoint plugin versions up to 5.2.7 are affected. Attackers need at least Agent-level access to exploit this.
💻 Affected Systems
- LatePoint – Calendar Booking Plugin for Appointments and Events
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete site takeover where attackers gain administrator access, install backdoors, modify content, steal data, and potentially compromise the entire WordPress installation and server.
Likely Case
Attackers with existing Agent access escalate to administrator privileges, gaining full control over the WordPress site including plugin/theme management, user administration, and content modification.
If Mitigated
With proper access controls and monitoring, exploitation attempts are detected and blocked before privilege escalation occurs, limiting impact to unauthorized access attempts.
🎯 Exploit Status
Exploitation requires authenticated access with Agent role or higher. The vulnerability is straightforward to exploit once an attacker has the required access level.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.2.8 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3463945/
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find LatePoint plugin. 4. Click 'Update Now' if update available. 5. If no update shows, download version 5.2.8+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Temporarily disable LatePoint plugin
allCompletely disable the vulnerable plugin until patched
wp plugin deactivate latepoint
Remove Agent role permissions
linuxTemporarily remove or restrict Agent role users
wp user list --role=latepoint_agent --field=ID | xargs wp user set-role subscriber
🧯 If You Can't Patch
- Implement strict access controls and monitor all Agent role user activities
- Disable password reset functionality or implement additional authentication factors
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → LatePoint → Version. If version is 5.2.7 or lower, you are vulnerable.Check Version:
wp plugin get latepoint --field=versionVerify Fix Applied:
Verify LatePoint plugin version is 5.2.8 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual password reset attempts for admin users
- Multiple customer creation events by single Agent user
- User role changes from Agent to Administrator
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=latepoint_* containing wordpress_user_id parameter
- Unusual password reset email traffic
SIEM Query:
source="wordpress.log" AND ("password reset" OR "role changed" OR "latepoint_customer")