Privilege Escalation Vulnerability in LatePoint Calendar Booking Plugin for WordPress
CVE-2026-13228
8.8HIGH
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-13228?
The LatePoint β Calendar Booking Plugin for Appointments and Events for WordPress is susceptible to a Privilege Escalation due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function. Authenticated agents can supply arbitrary customer IDs, enabling them to alter the email field of any LatePoint customer, including those linked to WordPress Administrator accounts. This flaw arises from inadequate role verification, allowing unauthorized elevation of privileges for agents with sufficient access levels.
Affected Version(s)
LatePoint β Calendar Booking Plugin for Appointments and Events 0 <= 5.6.3