Privilege Escalation Vulnerability in LatePoint Calendar Booking Plugin for WordPress
CVE-2026-13228

8.8HIGH

What is CVE-2026-13228?

The LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress is susceptible to a Privilege Escalation due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function. Authenticated agents can supply arbitrary customer IDs, enabling them to alter the email field of any LatePoint customer, including those linked to WordPress Administrator accounts. This flaw arises from inadequate role verification, allowing unauthorized elevation of privileges for agents with sufficient access levels.

Affected Version(s)

LatePoint – Calendar Booking Plugin for Appointments and Events 0 <= 5.6.3

References

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

d.v4n_s3c
.