Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-13228

CVE-2026-13228: LatePoint WordPress Privilege Escalation

CVE-2026-13228 is a privilege escalation vulnerability in the LatePoint WordPress plugin that allows Agent-level users to gain Administrator access through an IDOR flaw. This article covers technical details, affected versions, and steps to secure your installation.

Published:

CVE-2026-13228 Overview

CVE-2026-13228 is a privilege escalation vulnerability in the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress. The flaw affects all versions up to and including 5.6.3. An authenticated user with Agent-level access can elevate privileges to Administrator by exploiting an Insecure Direct Object Reference (IDOR) in the create_or_update() function of OsOrdersController. The issue is compounded by missing role verification in OsAuthHelper::authorize_customer(), which logs in the associated WordPress account without validating its role.

Critical Impact

Authenticated Agent-level attackers can overwrite an Administrator's email address in the LatePoint customer table and hijack the linked WordPress Administrator account, gaining full site control.

Affected Products

  • LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress
  • All versions up to and including 5.6.3
  • Fixed in version 5.6.4

Discovery Timeline

  • 2026-07-01 - CVE-2026-13228 published to NVD
  • 2026-07-01 - Last updated in NVD database

Technical Details for CVE-2026-13228

Vulnerability Analysis

The vulnerability chains two distinct weaknesses to achieve full privilege escalation. First, the create_or_update() function in OsOrdersController accepts an attacker-controlled order[customer_id] parameter without validating that the requesting Agent is authorized to modify that specific customer record. Second, the plugin exposes a public-scope set_data() call on the customer object, allowing arbitrary field updates including the email field. This constitutes an Insecure Direct Object Reference [CWE-269] where object identifiers are trusted from client input.

The second half of the chain resides in OsAuthHelper::authorize_customer(). The helper resolves a WordPress user from the LatePoint customer email and logs that user in without verifying the target account's role. Because LatePoint treats customer authentication as a low-privilege operation, no check prevents authentication as an Administrator account linked by email.

Root Cause

The root cause is a combination of missing object-level authorization in the orders controller and missing role verification in the authentication helper. Neither layer enforces that a customer record targeted by an Agent belongs to that Agent, nor that the WordPress account bound to a customer email is safe to authenticate through the customer flow.

Attack Vector

An authenticated attacker with Agent-level access submits a crafted request to the orders endpoint, setting order[customer_id] to the identifier of the LatePoint customer record tied to the site Administrator. The request modifies the target customer's email field to an attacker-controlled address. The attacker then triggers the customer authentication flow, which resolves the WordPress Administrator by email and calls wp_set_auth_cookie() without a role check, granting the attacker an active Administrator session.

Verified code references are available in the WordPress LatePoint orders controller and the LatePoint auth helper.

Detection Methods for CVE-2026-13228

Indicators of Compromise

  • Unexpected changes to the email field of the LatePoint customer record associated with any WordPress Administrator account.
  • New or modified Administrator sessions originating from users previously holding only Agent-level access.
  • POST requests to LatePoint order endpoints containing an order[customer_id] value that does not correspond to the authenticated Agent's assigned customers.
  • WordPress wp_users table entries showing email changes shortly followed by successful Administrator logins.

Detection Strategies

  • Review WordPress audit logs for user_email updates on privileged accounts correlated with LatePoint order activity.
  • Alert on authentication events where a WordPress user with the administrator role is authenticated through the LatePoint customer login flow.
  • Compare LatePoint customer email fields against the WordPress wp_users table to identify recent overlaps introduced by Agent accounts.

Monitoring Recommendations

  • Enable verbose logging on the LatePoint plugin and capture parameters submitted to OsOrdersController::create_or_update().
  • Monitor changes to wp_usermeta role assignments and any elevation of non-admin accounts to administrator.
  • Ingest WordPress and web server logs into a centralized SIEM to correlate order submissions with subsequent privileged sessions.

How to Mitigate CVE-2026-13228

Immediate Actions Required

  • Update LatePoint to version 5.6.4 or later immediately.
  • Audit all WordPress Administrator accounts for recent email address changes and reset compromised credentials.
  • Review Agent-level accounts for suspicious activity and revoke access for any account that does not require it.
  • Force session invalidation for all users after patching to terminate any hijacked Administrator sessions.

Patch Information

The vendor addressed the vulnerability in LatePoint version 5.6.4. The fix is applied in changeset 3590914 and the 5.6.3 to 5.6.4 update diff. See the Wordfence advisory 8f9db3b8 for additional detail.

Workarounds

  • If patching is not immediately possible, deactivate the LatePoint plugin until the upgrade can be applied.
  • Restrict Agent-level account creation and limit membership to trusted staff only.
  • Deploy a Web Application Firewall rule to block requests to LatePoint order endpoints containing an order[customer_id] parameter from non-privileged sessions.
  • Ensure Administrator accounts use email addresses that are not reused for any LatePoint customer record.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.