Privilege Escalation Vulnerability in LatePoint Calendar Booking Plugin for WordPress
CVE-2026-8176

7.5HIGH

Key Information:

Vendor: WordPress
Status: Latepoint – Calendar Booking Plugin For Appointments And Events
Vendor: CVE Published:; 16 June 2026

What is CVE-2026-8176?

The LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress has an issue that allows authenticated users with Agent-level access to escalate their privileges to that of an Administrator. By exploiting a combination of independent vulnerabilities, such users can overwrite an Administrator's password without needing access to Administrator-only APIs. This flaw allows malicious actors with authenticated accounts to gain higher-level access, posing a significant risk to site security.

Affected Version(s)

LatePoint – Calendar Booking Plugin for Appointments and Events 0 <= 5.5.1

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/browser/latepoint/trun...

https://plugins.trac.wordpress.org/browser/latepoint/tags...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 16, 2026
Vulnerability Reserved
May 8, 2026

Credit

The Hao

CVE-2026-8176 Data

JSON