CVE-2026-1566: Privilege Escalation via Improper Authorization in LatePoint WordPress Plugin

CVE-2026-1566 is a high-severity privilege escalation vulnerability located in the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress. The vulnerability affects all versions of the plugin up to and including version 5.2.7. It allows authenticated users with low-level privileges, specifically those assigned the "LatePoint Agent" role, to escalate their privileges to the Administrator level. This results in a complete compromise of the underlying WordPress installation.

The vulnerable component is the customer management module within the LatePoint Agent dashboard. LatePoint Agents are responsible for managing bookings, schedules, and customer records. The plugin exposes specific endpoints and administrative functions to allow Agents to create or update these customer records. The vulnerability exists within the input validation and authorization logic of these specific functions.

This flaw is classified under CWE-269: Improper Privilege Management. The plugin fails to verify if the authenticated Agent has the necessary permissions to assign arbitrary WordPress user IDs to customer profiles. By exploiting this lack of validation, an attacker can manipulate database relationships, linking a low-privileged customer record to a highly privileged WordPress core account.

The root cause of CVE-2026-1566 lies in the insecure handling of the wordpress_user_id parameter during the customer creation and modification processes. The LatePoint plugin uses this specific parameter to establish a relationship between a LatePoint customer entity and a standard WordPress user account. This linkage allows customers to log into the WordPress site using native authentication mechanisms while interacting with LatePoint's booking interfaces.

When a LatePoint Agent submits a request to create or update a customer, the backend application processes the incoming HTTP POST request and extracts various parameters, including the wordpress_user_id. In vulnerable versions of the plugin, the code fails to implement adequate authorization checks on this specific field. The application assumes that any data submitted by an authenticated Agent is legitimate and permissible for that user role.

Because the authorization boundary is missing, the application processes the user-supplied wordpress_user_id value without validating whether the Agent holds the authority to associate the customer with that specific WordPress account. The database operation executes, writing the attacker-controlled value into the mapping table. This direct object reference flaw creates a condition where an Agent can intentionally map a customer profile they control to an administrator account, such as the default administrator with user ID 1.

The vulnerability exists in the plugin's customer data saving routine, which processes array inputs directly into database columns. The vulnerable implementation retrieves the POST payload and iteratively maps keys to database fields. If the wordpress_user_id key is present in the request, the application assigns its value to the customer object and persists it to the database. No conditional logic verifies the current user's capability against the target wordpress_user_id.

The official remediation was introduced in changeset 3463945 and released in version 5.2.8. The patch introduces strict authorization checks before allowing modifications to the wordpress_user_id field. The updated logic explicitly validates the capabilities of the user initiating the request.

The patched code implements a verification function that checks if the currently authenticated user has the manage_options capability (or an equivalent high-level administrative capability) before processing the wordpress_user_id assignment. If the user lacks the required privileges, the application drops the parameter from the input array or terminates the transaction, successfully mitigating the improper privilege management vulnerability.

Exploitation of CVE-2026-1566 requires the attacker to hold an active, authenticated session with "LatePoint Agent" privileges on the target WordPress application. The attacker navigates to the customer management interface and initiates a request to create a new customer. Using an interception proxy, the attacker captures the outgoing HTTP POST request and appends or modifies the wordpress_user_id parameter, setting its value to 1 (the typical ID of the primary administrator).

The application processes the malicious payload and stores the relationship. The attacker then utilizes LatePoint's built-in customer portal to initiate a password reset for the newly created customer account. Because the customer record is now explicitly linked to the WordPress administrator account, the plugin's password reset routine queries the database for the associated WordPress user ID and updates the password for that account.

The attacker receives the password reset token or directly sets the new password, depending on the plugin's specific reset flow. With the administrator's password successfully changed, the attacker logs into the standard WordPress administrative panel (/wp-admin) using the new credentials. This grants the attacker full administrative control over the application.

The security impact of CVE-2026-1566 is severe, resulting in a complete compromise of the confidentiality, integrity, and availability of the affected WordPress site. By successfully executing the exploit, the attacker gains full administrative access. This allows the attacker to read all sensitive data stored in the database, including customer PII, internal booking schedules, and site configuration details.

From an integrity perspective, the attacker can modify any content, inject malicious scripts into pages, install rogue plugins, or alter core application files. This level of access frequently leads to the deployment of persistent backdoors, ensuring the attacker maintains access even if the initial vulnerability is subsequently patched. The availability of the system is equally compromised, as the attacker possesses the necessary privileges to delete the entire site, disrupt services, or repurpose the underlying server infrastructure for secondary attacks.

The CVSS v3.1 vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, resulting in a base score of 8.8. The attack requires low privileges and no user interaction, making it highly exploitable by malicious insiders or external actors who have compromised a low-privileged account. Given that the LatePoint plugin has over 100,000 active installations, this vulnerability presents a significant risk to a large number of organizations.

The definitive remediation for CVE-2026-1566 is to upgrade the LatePoint plugin to version 5.2.8 or later. Site administrators must apply this update immediately to neutralize the privilege escalation vector. The update contains the necessary structural changes to the authorization logic, preventing low-privileged users from manipulating the wordpress_user_id parameter.

Administrators must also conduct a post-incident forensic review to identify potential prior exploitation. This involves auditing the wp_users and LatePoint customer database tables. Security personnel should search for any LatePoint customer records that are linked to highly privileged WordPress accounts (such as Administrators or Editors) that do not have a legitimate business reason for such an association.

If anomalous linkages are discovered, administrators should immediately terminate the affected user sessions, reset the passwords for all administrative accounts, and review the server logs for indicators of post-exploitation activity. Organizations that cannot immediately apply the patch should deploy Web Application Firewall (WAF) rules configured to inspect incoming HTTP POST requests to the LatePoint customer endpoints, blocking any requests from non-administrative users that contain the wordpress_user_id parameter.