CVE-2026-1566
Privilege Escalation via Password Reset in LatePoint WordPress Plugin
Publication date: 2026-03-03
Last updated on: 2026-03-03
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| latepoint | calendar_booking_plugin | to 5.2.7 (inc) |
| latepoint | calendar_booking_plugin | 5.2.8 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-269 | The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The LatePoint Calendar Booking Plugin for WordPress has a vulnerability that allows privilege escalation via password reset. Specifically, users with the LatePoint Agent role, who can create new customers, are able to set the 'wordpress_user_id' field arbitrarily. This means an authenticated attacker with Agent-level access or higher can link a customer to any WordPress user ID, including administrators, and then reset that user's password to gain elevated privileges.
How can this vulnerability impact me? :
This vulnerability can have a severe impact as it allows attackers with relatively low-level access (Agent role) to escalate their privileges to administrator level by resetting passwords of arbitrary users. This can lead to full site compromise, including unauthorized access to sensitive data, modification of site content, and potential control over the entire WordPress installation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'To mitigate the privilege escalation vulnerability in the LatePoint WordPress plugin, you should immediately update the plugin to version 5.2.8 or later, which contains the security fixes.'}, {'type': 'list_item', 'content': 'Apply the update that restricts unauthorized mass assignment of the wordpress_user_id field to admin users only.'}, {'type': 'list_item', 'content': "Ensure that the plugin's nonce verification is enabled to protect against CSRF attacks."}, {'type': 'list_item', 'content': 'Verify that the plugin sanitizes inputs properly to prevent cross-site scripting (XSS) vulnerabilities.'}, {'type': 'list_item', 'content': 'Review user roles and permissions to ensure that only trusted users have Agent-level or higher access.'}] [2]