CVE-2026-7652
Account Takeover in LatePoint WordPress Plugin via Weak Password Recovery
Publication date: 2026-05-09
Last updated on: 2026-05-09
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| latepoint | latepoint | to 5.5.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The LatePoint plugin for WordPress has a vulnerability that allows an unauthenticated attacker to take over user accounts. This happens because the plugin's function save_connected_wordpress_user() updates a WordPress user's email address without verifying ownership. Combined with the guest booking flow's ability to overwrite a customer's email via phone-based merging without authentication, an attacker can change the email address of a WordPress user account that is linked to LatePoint but not yet connected to a customer.
Once the attacker controls the email address, they can trigger the standard WordPress password reset process to gain full access to that user account. This vulnerability affects versions up to and including 5.5.0 of the LatePoint plugin, but administrator accounts on single-site installs are not affected.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized account takeover by attackers without needing to authenticate. If exploited, an attacker can gain control over a WordPress user account by changing its email address and resetting the password.
The impact includes potential loss of control over user accounts, unauthorized access to user data, and possible misuse of the compromised accounts. However, administrator accounts on single-site WordPress installations are not vulnerable.