Privilege Escalation Vulnerability in LatePoint Calendar Booking Plugin for WordPress
CVE-2026-6741

8.8HIGH

Key Information:

Vendor: WordPress
Status: Latepoint – Calendar Booking Plugin For Appointments And Events
Vendor: CVE Published:; 27 April 2026

What is CVE-2026-6741?

The LatePoint Calendar Booking Plugin for WordPress is susceptible to a privilege escalation issue due to inadequate authorization checks within the execute() method. Specifically, the vulnerability stems from the connect-customer-to-wp-user capability, which only requires the customer__edit permission assigned to the latepoint_agent role. This oversight does not validate if the targeted WordPress user ID corresponds to a privileged account. As a result, unauthorized actors with the latepoint_agent role may associate any LatePoint customer record with an administrator's account, facilitating password resets and potentially leading to complete control over the site.

Affected Version(s)

LatePoint – Calendar Booking Plugin for Appointments and Events 0 <= 5.4.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/latepoint/tags...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 27, 2026
Vulnerability Reserved
Apr 21, 2026

Credit

Valase Paul

Chirita Catalin-Andrei

Ramon Mateas

CVE-2026-6741 Data

JSON