{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6741", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-21T11:06:48.322Z", "datePublished": "2026-04-27T19:36:46.601Z", "dateUpdated": "2026-04-28T14:49:46.116Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-27T19:36:46.601Z"}, "affected": [{"vendor": "latepoint", "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover."}], "title": "LatePoint <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71e99412-031e-4f4a-9126-dd3a37975246?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/abilities/customers/connect-customer-to-wp-user.php"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/models/customer_model.php"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/roles_helper.php"}, {"url": "https://wordpress.org/plugins/latepoint/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3514330/latepoint"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Valase Paul"}, {"lang": "en", "type": "finder", "value": "Chirita Catalin-Andrei"}, {"lang": "en", "type": "finder", "value": "Ramon Mateas"}], "timeline": [{"time": "2026-04-21T11:22:31.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-27T07:23:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-28T14:48:57.895047Z", "id": "CVE-2026-6741", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:49:46.116Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-6741", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-04-21T11:06:48.322Z", "datePublished": "2026-04-27T19:36:46.601Z", "dateUpdated": "2026-04-28T14:49:46.116Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-27T19:36:46.601Z"}, "affected": [{"vendor": "latepoint", "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.4.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover."}], "title": "LatePoint <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71e99412-031e-4f4a-9126-dd3a37975246?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/abilities/customers/connect-customer-to-wp-user.php"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/models/customer_model.php"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/roles_helper.php"}, {"url": "https://wordpress.org/plugins/latepoint/"}, {"url": "https://plugins.trac.wordpress.org/changeset/3514330/latepoint"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-269 Improper Privilege Management", "cweId": "CWE-269", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "Valase Paul"}, {"lang": "en", "type": "finder", "value": "Chirita Catalin-Andrei"}, {"lang": "en", "type": "finder", "value": "Ramon Mateas"}], "timeline": [{"time": "2026-04-21T11:22:31.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-04-27T07:23:53.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-6741", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-28T14:48:57.895047Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-28T14:49:06.855Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover."}], "id": "CVE-2026-6741", "lastModified": "2026-04-27T20:21:52.070", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-27T20:16:28.580", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/abilities/customers/connect-customer-to-wp-user.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/roles_helper.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/models/customer_model.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3514330/latepoint"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/latepoint/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71e99412-031e-4f4a-9126-dd3a37975246?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-269"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.4.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "source": "cna", "vendor": "latepoint"}, "product": "latepoint_\u2013_calendar_booking_plugin_for_appointments_and_events", "vendor": "latepoint"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-28T19:40:55.529957+00:00", "value": {"mitigation_remediation": ["Upgrade the LatePoint plugin to version 5.4.2 or later where the connect-customer-to-wp-user ability correctly verifies the target user\u2019s privileges.", "If an immediate update is not feasible, remove or disable the latepoint_agent role from any users who do not need it, or unfetter the customer__edit capability for that role.", "Prompt all administrator accounts to reset their passwords and audit the customer records to ensure no user IDs are linked to privileged WordPress accounts."], "summary": {"action": "Immediate Patch", "impact": "Privilege Escalation to Administrator"}, "threat_synthesis": {"affected_systems": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events for WordPress, versions 5.4.1 and earlier.", "description_and_impact": "The vulnerability arises from a missing authorization check in the connect-customer-to-wp-user ability of LatePoint. An authenticated user who holds the latepoint_agent role can call the execute() method with only the customer__edit capability, which fails to confirm that the target WordPress user ID is a privileged account. Through this flaw the attacker can associate any LatePoint customer record with an administrator\u2019s WordPress account and then trigger the normal customer password\u2011reset process, ultimately allowing the attacker to take full control of the site.", "risk_and_exploitability": "The CVSS score of 8.8 signals a high\u2011severity vulnerability. Exploitation requires only an authenticated WordPress account possessing the default latepoint_agent role; no additional privileges or external access are needed. The lack of an authorization check provides a clear and direct path for privilege escalation. EPSS data is unavailable and the issue is not listed in CISA\u2019s KEV catalog, but the capacity for an attacker to seize administrative credentials makes immediate attention essential."}}}}, "created": "2026-04-28T02:30:18.593515+00:00", "updated": "2026-04-28T19:45:07.608445+00:00", "vendors": ["latepoint", "latepoint$PRODUCT$latepoint_\u2013_calendar_booking_plugin_for_appointments_and_events", "wordpress", "wordpress$PRODUCT$wordpress"]}