CVE-2026-13228
Deferred Deferred - Pending Action

Privilege Escalation to Administrator in LatePoint WordPress Plugin

Vulnerability report for CVE-2026-13228, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: Wordfence

Description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function of OsOrdersController, which allows an authenticated Agent to supply an arbitrary order[customer_id] and overwrite any LatePoint customer's email field (including one linked to a WordPress Administrator's account) through the public-scope customer set_data() call, combined with a missing role verification in OsAuthHelper::authorize_customer() which logs in the linked WordPress user without checking its role. This makes it possible for authenticated attackers, with custom (Agent)-level access and above, to elevate their privileges to Administrator.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
latepoint calendar_booking_plugin to 5.6.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-269 The product does not properly assign, modify, track, or check privileges for an actor, creating an unintended sphere of control for that actor.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the LatePoint – Calendar Booking Plugin for WordPress, versions up to and including 5.6.3. It is a Privilege Escalation issue caused by an Insecure Direct Object Reference (IDOR) in the create_or_update() function of OsOrdersController. An authenticated user with Agent-level access can supply an arbitrary customer ID and overwrite any LatePoint customer's email address, including those linked to WordPress Administrator accounts. Due to missing role verification in the authorization process, this allows the attacker to log in as the linked WordPress user without proper role checks, effectively elevating their privileges to Administrator.

Impact Analysis

This vulnerability can have severe impacts as it allows an authenticated user with limited privileges (Agent-level) to escalate their access to Administrator level. This means the attacker can gain full control over the WordPress site, potentially leading to unauthorized access to sensitive data, modification or deletion of content, installation of malicious code, and complete compromise of the website's security.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13228. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart