WordPress Security Bulletin: LatePoint – Calendar Booking Plugin for Appointments and Events Vulnerability (CVE-2026-1566)

Security Alert Summary

A privilege escalation vulnerability has been identified in the LatePoint – Calendar Booking Plugin for Appointments and Events (CVE-2026-1566). Authenticated users with the LatePoint Agent role can set the wordpress_user_id field when creating customers, which can be used to link a customer to an arbitrary WordPress user ID (including administrator accounts) and then perform a password reset to gain elevated privileges. The issue affects all versions up to, and including, 5.2.7.

CVE Details

• CVE ID: CVE-2026-1566
• Affected component: LatePoint  Calendar Booking Plugin for Appointments and Events (plugin for WordPress)
• Affected versions: All versions up to, and including, 5.2.7
• Published: March 3, 2026 at 12:15:55 AM UTC
• Last modified: March 3, 2026 at 12:15:55 AM UTC
• CVSS v3.1 Base Score: 8.8
• CVSS v3.1 Severity: HIGH
• CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
• Authentication / Privileges / User Interaction: Privileges Required: LOW; User Interaction: NONE; Attack Vector: NETWORK; Attack Complexity: LOW
• Primary impact: Confidentiality: HIGH; Integrity: HIGH; Availability: HIGH
• Weakness: CWE-269 (Improper Privilege Management)

Technical Details

The plugin permits users assigned the LatePoint Agent role, when creating new customer records, to set the wordpress_user_id field. Because the field can be set to an arbitrary WordPress user ID, an authenticated Agent-level user can link a customer entry to an existing administrative account and then trigger a password reset for that linked account. This sequence enables escalation of privileges from an Agent-level account to the privileges of the targeted WordPress user.

The issue exists because the plugin allows assignment of the wordpress_user_id field during customer creation without sufficient restriction to prevent lower-privileged roles from associating customers with arbitrary internal WordPress user IDs. The CVE description specifically notes that this can include administrator accounts and that the linked account’s password can be reset.

How This Could Impact Your Website

Consider a site with multiple roles: a site owner (administrator), a staff member with the LatePoint Agent role who manages bookings, and an external contractor who helps with customer data. If an Agent-level user is able to link a new customer record to the site owner’s internal WordPress user ID and use the password reset flow, that Agent could obtain higher-level access on the site. The practical consequences include unauthorized access to admin functions, exposure of user data, and an increased risk of targeted phishing or social engineering against privileged accounts.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.

Recommended Actions

• Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
• Temporarily review and limit which users have the LatePoint Agent role; remove the role from users who do not require it.
• Review and reduce unnecessary user roles and capabilities, especially for contributors and other low-privilege roles.
• Enforce strong passwords and enable two-factor authentication for editors and administrators.
• Remove unused or unmaintained plugins and monitor plugin change logs for security updates.
• Monitor site activity and authentication logs for unusual behavior, such as unexpected password resets or new customer-account links.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.

References

• https://plugins.trac.wordpress.org/changeset/3463945/
• https://www.wordfence.com/threat-intel/vulnerabilities/id/c958880e-6068-4e7d-a780-1251f3ab9bf7?source=cve