LatePoint – Calendar Booking Plugin Vulnerability (CVE-2026-6741)

On this page

Security Alert Summary

The LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress has a privilege escalation vulnerability (CVE-2026-6741) in versions up to and including 5.4.1. A missing authorization check in the plugin allows authenticated users with the latepoint_agent role to link a LatePoint customer record to an administrator’s WordPress account and then use the customer password-reset flow to change the administrator password, which can lead to full site takeover.


CVE Details

  • CVE ID: CVE-2026-6741
  • Affected component: The LatePoint – Calendar Booking Plugin for Appointments and Events (LatePoint plugin for WordPress)
  • Affected versions: Versions up to and including 5.4.1
  • Published: April 27, 2026 at 8:16:28 PM UTC
  • Last modified: April 27, 2026 at 8:21:52 PM UTC
  • CVSS v3.1: Base Score 8.8, Severity: HIGH, Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
  • Authentication / Privileges / User interaction: Privileges Required: LOW; User Interaction: NONE; Attack Vector: NETWORK; Attack Complexity: LOW; Scope: UNCHANGED
  • Primary impact: Confidentiality: HIGH; Integrity: HIGH; Availability: HIGH
  • Weakness (CWE): CWE-269 (Improper Privilege Management)

Technical Details

This vulnerability exists because the plugin’s execute() method for the connect-customer-to-wp-user ability omits an authorization check that verifies whether the target WordPress user ID belongs to a privileged account. The code path only requires the customer__edit capability, which is granted to the latepoint_agent role by default. An authenticated user who has the latepoint_agent role can therefore link any LatePoint customer record to an administrator’s WordPress account without additional verification.

Once a customer record is linked to an administrator account, the attacker can use the plugin’s normal customer password-reset flow to reset the administrator’s password. The CVE report indicates this sequence can result in full site takeover.


How This Could Impact Your Website

Consider a typical WordPress site with a site owner, internal staff who manage bookings, and an external contractor or contributor assigned the LatePoint latepoint_agent role. If any of those users have the latepoint_agent role, a malicious or compromised user with that role could link an administrator’s account to a LatePoint customer record and trigger a password reset for the administrator account. Practical consequences include the attacker gaining administrator access, exposure of internal user email addresses, and an increased risk of targeted phishing or social engineering against staff and contractors.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available.
  • Review and reduce unnecessary user roles, especially contributors and any users assigned the latepoint_agent role.
  • Enforce strong passwords and two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins from your site.
  • Monitor site activity and logs for unusual behavior, such as unexpected password resets or new user linkages.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References