LatePoint – Calendar Booking Plugin for Appointments and Events Vulnerability (CVE-2026-13228)

On this page

Security Alert Summary

The LatePoint – Calendar Booking Plugin for Appointments and Events (LatePoint) contains a privilege escalation vulnerability allowing an authenticated Agent-level user to elevate to an Administrator account. The issue is an Insecure Direct Object Reference (IDOR) combined with a missing role verification that can result in overwriting a LatePoint customer email and logging in the linked WordPress user without checking role.


CVE Details

  • CVE ID: CVE-2026-13228
  • Affected component: LatePoint – Calendar Booking Plugin for Appointments and Events
  • Affected versions: Versions up to and including 5.6.3
  • Published: July 1, 2026 at 11:16:25 AM
  • Last modified: July 1, 2026 at 1:56:17 PM
  • CVSS v3.1: Base Score 8.8, Severity HIGH, Vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Authentication / privileges / user interaction: Requires an authenticated user with low privileges (Agent-level or higher). No user interaction is required according to the CVSS vector.
  • Primary impact: Confidentiality: High; Integrity: High; Availability: High
  • Weakness (CWE): CWE-269 (Improper Privilege Management)

Technical Details

The vulnerability is an Insecure Direct Object Reference (IDOR) in the plugin’s order handling code. Specifically, the create_or_update() function in OsOrdersController accepts an attacker-controlled order[customer_id] value and calls the customer set_data() method in a public scope. This allows an authenticated Agent to overwrite a LatePoint customer’s email field.

Additionally, a missing role verification in OsAuthHelper::authorize_customer() causes the plugin to log in the linked WordPress user without checking that user’s role. Combined, these weaknesses permit an authenticated attacker with Agent-level access to set a customer record to an administrator’s account email and be logged in as that user, resulting in privilege escalation to Administrator.

The impact is limited to the behaviors described: overwriting customer email data and triggering a login of the linked WordPress account without role checks. The vulnerability exists because of insufficient authorization checks on customer assignment and missing role verification during authorization.


How This Could Impact Your Website

On a typical site this could involve three parties: the site owner (Administrator), internal staff (Agents or editors), and an external contractor or contributor granted Agent-level access. An Agent-level user could supply a crafted order[customer_id] to overwrite a customer email address that is linked to a WordPress Administrator account, and the plugin could then log in that Administrator account without verifying role. Practically, this can lead to:

  • Exposure or modification of internal user email addresses stored in LatePoint customer records.
  • Elevation of an attacker from an Agent-level account to an Administrator account, allowing administrative actions within WordPress if the login succeeds.
  • Increased risk of targeted phishing or social engineering using exposed or modified email addresses.

If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially Agent and Contributor roles that have order-related access.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins.
  • Monitor site activity and authentication logs for unusual behavior, especially unexpected logins to administrator accounts and changes to customer records.

If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References