CVE-2026-1566
Received Received - Intake
Privilege Escalation via Password Reset in LatePoint WordPress Plugin

Publication date: 2026-03-03

Last updated on: 2026-03-03

Assigner: Wordfence

Description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the 'wordpress_user_id' field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-03
Last Modified
2026-03-03
Generated
2026-06-16
AI Q&A
2026-03-03
EPSS Evaluated
2026-06-15
NVD
CVE-2026-1566
EUVD
EUVD-2026-9269
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
latepoint calendar_booking_plugin to 5.2.7 (inc)
latepoint calendar_booking_plugin 5.2.8
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The LatePoint Calendar Booking Plugin for WordPress has a vulnerability that allows privilege escalation via password reset. Specifically, users with the LatePoint Agent role, who can create new customers, are able to set the 'wordpress_user_id' field arbitrarily. This means an authenticated attacker with Agent-level access or higher can link a customer to any WordPress user ID, including administrators, and then reset that user's password to gain elevated privileges.

Impact Analysis

This vulnerability can have a severe impact as it allows attackers with relatively low-level access (Agent role) to escalate their privileges to administrator level by resetting passwords of arbitrary users. This can lead to full site compromise, including unauthorized access to sensitive data, modification of site content, and potential control over the entire WordPress installation.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

[{'type': 'paragraph', 'content': 'To mitigate the privilege escalation vulnerability in the LatePoint WordPress plugin, you should immediately update the plugin to version 5.2.8 or later, which contains the security fixes.'}, {'type': 'list_item', 'content': 'Apply the update that restricts unauthorized mass assignment of the wordpress_user_id field to admin users only.'}, {'type': 'list_item', 'content': "Ensure that the plugin's nonce verification is enabled to protect against CSRF attacks."}, {'type': 'list_item', 'content': 'Verify that the plugin sanitizes inputs properly to prevent cross-site scripting (XSS) vulnerabilities.'}, {'type': 'list_item', 'content': 'Review user roles and permissions to ensure that only trusted users have Agent-level or higher access.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-1566. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart