Attack Vectors
The vulnerability CVE-2026-1566 affects the LatePoint – Calendar Booking Plugin for Appointments and Events (slug: latepoint-2) in versions 5.2.7 and earlier. It is rated High severity with a CVSS 8.8 score (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating it can be exploited remotely over the network with low complexity.
An attacker must already be authenticated with at least a LatePoint Agent role (or higher). In practical terms, this means the threat can come from a compromised Agent account, an insider, or an attacker who first gains low-level access through credential theft or weak passwords.
From there, the attacker can abuse the customer creation workflow by setting a sensitive field, wordpress_user_id, to an arbitrary WordPress user ID—including an administrator. By linking a “customer” record to an admin account and then using the password reset functionality, they can elevate privileges and take over higher-value accounts.
Security Weakness
The core weakness is an authorization/control gap in how the plugin handles customer creation. Specifically, users with the LatePoint Agent role are allowed to set the wordpress_user_id field when creating a new customer. This field can effectively determine which WordPress account the customer record is linked to.
Because this linkage can be set to an arbitrary user ID, it can be weaponized to connect a customer record to a privileged WordPress account (such as an administrator). Once linked, the attacker can use the password reset process to gain control of that privileged account.
In business terms, this is a breakdown of “who is allowed to change identity links,” and it creates an easy path from a low-privilege operational role (Agent) to full administrative control.
Technical or Business Impacts
If exploited, this issue can result in administrator account takeover, which commonly becomes a full-site compromise. For leadership and compliance teams, the major risk is that a single compromised Agent credential can cascade into control of the entire WordPress environment.
Potential impacts include unauthorized access to customer and booking data, changes to site content and pricing, defacement, malicious redirects, or the installation of backdoors that persist even after password changes. Operationally, this can disrupt appointment scheduling and customer communications—directly impacting revenue, reputation, and customer trust.
From a governance perspective, admin takeover can undermine auditability and introduce compliance exposure, especially if personal data is accessed or altered. Given the High severity rating and the straightforward path from Agent-level access to admin control, this should be treated as a priority business-risk issue.
Remediation: Update LatePoint to version 5.2.8 or a newer patched release. Confirm the update across all environments (production, staging) and consider reviewing Agent accounts, enforcing strong authentication, and validating that password reset and role assignments are monitored for suspicious activity.
Similar Attacks
Privilege escalation and account takeover patterns like this have been used in widely publicized incidents where attackers pivot from a lower-privilege foothold to full administrative control. Examples:
InfiniteWP Client vulnerability write-up (Wordfence)
Recent Comments