CVE-2026-8176
Received Received - Intake
Privilege Escalation to Administrator in LatePoint WordPress Plugin

Publication date: 2026-06-16

Last updated on: 2026-06-16

Assigner: Wordfence

Description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-16
Last Modified
2026-06-16
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-8176
EUVD
EUVD-2026-37060
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
latepoint calendar_booking_plugin to 5.5.1 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress has a vulnerability that allows privilege escalation to Administrator. This affects versions up to and including 5.5.1. The vulnerability involves chaining three independent flaws that enable an authenticated user with Agent-level access or higher to overwrite a WordPress Administrator's password without needing to use any Administrator-only API.

As a result, an attacker who has Agent access can elevate their privileges to Administrator, gaining full control over the WordPress site.

Impact Analysis

This vulnerability can have a severe impact because it allows an attacker with relatively low-level access (Agent+) to gain full Administrator privileges on a WordPress site.

  • The attacker can overwrite the Administrator's password, effectively taking over the site.
  • With Administrator access, the attacker can modify site content, install malicious plugins or themes, steal sensitive data, or disrupt site operations.
  • This can lead to data breaches, loss of site integrity, and potential damage to the organization's reputation.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8176. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart