Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-8176

CVE-2026-8176: LatePoint WordPress Privilege Escalation

CVE-2026-8176 is a privilege escalation vulnerability in LatePoint WordPress plugin that allows authenticated agents to gain administrator access by chaining three flaws. This post covers technical details, affected versions, and mitigation.

Published:

CVE-2026-8176 Overview

CVE-2026-8176 affects the LatePoint Calendar Booking Plugin for Appointments and Events for WordPress in versions up to and including 5.5.1. The vulnerability chains three independent flaws that allow an authenticated user with Agent-level access or higher to overwrite a WordPress Administrator's password without invoking any Administrator-only API. The flaw maps to CWE-269: Improper Privilege Management and enables vertical privilege escalation to full Administrator on affected sites.

Critical Impact

Authenticated Agent+ users can overwrite an Administrator account password and seize full control of the WordPress site, including content, plugins, and user data.

Affected Products

  • LatePoint – Calendar Booking Plugin for Appointments and Events (WordPress plugin)
  • All versions up to and including 5.5.1
  • Sites where Agent or higher LatePoint roles are exposed to untrusted users

Discovery Timeline

  • 2026-06-16 - CVE-2026-8176 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-8176

Vulnerability Analysis

The vulnerability is a vertical privilege escalation chain residing in the customer cabinet, customers, and orders controllers of the LatePoint plugin. According to the Wordfence Vulnerability Report, three independent flaws combine so that an authenticated Agent can drive a password change on an arbitrary user. Because LatePoint maps Agent accounts to underlying WordPress users, the password change can target a WordPress Administrator account.

Once the Administrator password is overwritten, the attacker authenticates as that Administrator and gains complete control of the WordPress site. The chain bypasses standard role checks because the affected endpoints assume the calling Agent only operates on customer records.

Root Cause

The root cause is improper privilege management [CWE-269] across multiple LatePoint controllers and helpers. Source review references at customer_cabinet_controller.php (lines 415 and 491), customers_controller.php (line 342), orders_controller.php (lines 100 and 124), customer_helper.php (line 253), and customer_model.php (lines 322 and 427) show that Agent-accessible flows reach password update logic without verifying that the target user has a role at or below the caller. The plugin trusts caller-supplied identifiers and does not gate the password update path behind an Administrator-only capability check.

Attack Vector

Exploitation requires network access to the WordPress site and authenticated Agent (or higher) credentials within the LatePoint plugin. The attacker submits requests to the customer cabinet or orders endpoints that ultimately invoke the customer model password update routine against an Administrator-linked user record. No user interaction from the Administrator is required. See the LatePoint Changeset Review for the upstream code changes that close the chain.

No public proof-of-concept exploit has been released, and the vulnerability is not listed in the CISA KEV catalog.

Detection Methods for CVE-2026-8176

Indicators of Compromise

  • Unexpected password changes on WordPress Administrator accounts not initiated by the Administrator.
  • New Administrator logins from IP addresses previously associated with low-privilege Agent accounts.
  • POST requests from authenticated Agent sessions to LatePoint customer cabinet, customers, or orders endpoints immediately preceding an Administrator password reset.

Detection Strategies

  • Review WordPress user_activity and authentication logs for password update events tied to Administrator accounts and correlate with LatePoint controller requests.
  • Audit LatePoint Agent role assignments and look for recently created Agent accounts that subsequently triggered customer or order endpoint traffic.
  • Inspect web server access logs for requests to customer_cabinet_controller, customers_controller, and orders_controller routes with parameters referencing user IDs outside the caller's customer scope.

Monitoring Recommendations

  • Enable WordPress audit logging plugins to capture role changes, password resets, and Administrator authentications.
  • Alert on any Administrator login that occurs within a short window after Agent-authenticated requests to LatePoint controllers.
  • Monitor the LatePoint plugin version across sites and flag any instance still running version 5.5.1 or earlier.

How to Mitigate CVE-2026-8176

Immediate Actions Required

  • Update the LatePoint plugin to a version newer than 5.5.1 that includes the fix referenced in the upstream changeset.
  • Rotate passwords for all WordPress Administrator accounts on sites that ran a vulnerable LatePoint version.
  • Review and remove any unrecognized Agent-level LatePoint accounts and audit recent Administrator account changes.

Patch Information

The vendor addressed CVE-2026-8176 in the LatePoint plugin release following version 5.5.1. Code changes are documented in the LatePoint Changeset Review and span the customer cabinet, customers, orders controllers, customer helper, and customer model files. Administrators should apply the update through the WordPress plugin manager and verify the installed version after the upgrade.

Workarounds

  • Restrict LatePoint Agent role assignment to fully trusted internal users until the patch is applied.
  • Disable the LatePoint plugin on sites where Agent registration is publicly accessible and the update cannot be applied immediately.
  • Place the WordPress admin and LatePoint endpoints behind an IP allowlist or web application firewall rule blocking unauthenticated and Agent-level access to password-changing routes.
bash
# Verify installed LatePoint version on a WordPress host
wp plugin get latepoint --field=version

# Update LatePoint to the latest patched release
wp plugin update latepoint

# List all users with the WordPress administrator role for review
wp user list --role=administrator --fields=ID,user_login,user_email,user_registered

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne