CVE-2026-6741 Overview
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress contains a critical Privilege Escalation vulnerability in versions up to and including 5.4.1. The flaw exists due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default. The vulnerability fails to verify whether the target WordPress user ID belongs to a privileged account, allowing authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.
Critical Impact
Authenticated attackers with limited agent-level access can escalate privileges to full WordPress administrator, enabling complete site compromise through password reset manipulation.
Affected Products
- LatePoint – Calendar Booking Plugin for Appointments and Events versions up to and including 5.4.1
- WordPress installations running vulnerable LatePoint plugin versions
- Sites with users assigned the latepoint_agent role
Discovery Timeline
- 2026-04-27 - CVE-2026-6741 published to NVD
- 2026-04-27 - Last updated in NVD database
Technical Details for CVE-2026-6741
Vulnerability Analysis
This Privilege Escalation vulnerability (CWE-269: Improper Privilege Management) stems from inadequate authorization controls within the LatePoint plugin's user account linking functionality. The connect-customer-to-wp-user ability allows users with the customer__edit capability to associate LatePoint customer records with WordPress user accounts. However, the implementation fails to restrict which WordPress accounts can be targeted for this linking operation.
When a LatePoint customer record is linked to a WordPress user account, the customer password-reset flow can then be leveraged to reset the password of the linked WordPress account. Since there is no validation to ensure the target WordPress user ID is not a privileged account (such as an administrator), an attacker with agent-level access can effectively hijack any WordPress account on the system.
The attack can be executed entirely over the network by any authenticated user with the latepoint_agent role, requiring no additional user interaction. Successful exploitation results in complete compromise of confidentiality, integrity, and availability of the WordPress installation.
Root Cause
The root cause lies in the execute() method within the connect-customer-to-wp-user.php file. The method performs capability checks to ensure the user has customer__edit permissions but omits a critical authorization check to verify that the target WordPress user ID is not a privileged account or does not belong to another user. This missing boundary check allows arbitrary account linking, creating a privilege escalation pathway through the password reset mechanism.
Attack Vector
The attack leverages the network-accessible plugin functionality and requires only low-privileged authentication (the latepoint_agent role). An attacker would:
- Authenticate to WordPress with an account having the latepoint_agent role
- Create or identify an existing LatePoint customer record
- Use the connect-customer-to-wp-user functionality to link the customer record to an administrator's WordPress user ID
- Initiate a password reset through the LatePoint customer password-reset flow
- Use the reset link to set a new password for the administrator account
- Log in as the administrator with the newly set password
The vulnerability requires no user interaction and can be exploited remotely, making it particularly dangerous for publicly accessible WordPress installations.
Detection Methods for CVE-2026-6741
Indicators of Compromise
- Unexpected modifications to LatePoint customer records linking them to administrator accounts
- Password reset requests for administrator accounts originating from LatePoint plugin endpoints
- Audit logs showing connect-customer-to-wp-user operations targeting privileged user IDs
- Unauthorized administrator login activity following LatePoint-related customer operations
Detection Strategies
- Monitor WordPress audit logs for account linking operations involving administrator user IDs
- Implement alerting on password reset requests for privileged accounts
- Review LatePoint plugin activity logs for suspicious customer-to-user linking patterns
- Deploy web application firewall rules to detect and log requests to vulnerable plugin endpoints
Monitoring Recommendations
- Enable comprehensive logging for all LatePoint plugin operations
- Configure alerts for any modifications to user account associations within the plugin
- Monitor for privilege escalation patterns such as rapid account linking followed by password resets
- Implement real-time monitoring of administrator account changes and login events
How to Mitigate CVE-2026-6741
Immediate Actions Required
- Update LatePoint plugin to the latest patched version immediately
- Review all LatePoint customer records for unauthorized account linkages to administrator accounts
- Audit all accounts with the latepoint_agent role for suspicious activity
- Reset passwords for any administrator accounts that may have been compromised
- Temporarily disable the LatePoint plugin if an update is not immediately available
Patch Information
The vendor has released a security patch addressing this vulnerability. The fix is documented in WordPress Latepoint Changeset 3514330. Administrators should update to the patched version through the WordPress plugin update mechanism or by downloading the latest version from the WordPress Latepoint Plugin Page.
Additional technical details regarding the vulnerable code can be found in the following references:
Workarounds
- Remove or restrict the latepoint_agent role from untrusted users until the patch is applied
- Implement additional access controls at the web server or WAF level to restrict access to LatePoint administrative endpoints
- Disable the customer-to-WordPress-user linking functionality if not required for business operations
- Enable multi-factor authentication for all administrator accounts to add an additional layer of protection
# WordPress CLI command to check LatePoint plugin version
wp plugin list --name=latepoint --fields=name,version,update_version
# Update LatePoint plugin to latest version
wp plugin update latepoint
# List users with latepoint_agent role for review
wp user list --role=latepoint_agent --fields=ID,user_login,user_email
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
