216.73.216.67

CVE-2026-6741

· Published 27/04/2026 20:16 · Modified 27/04/2026 20:21

Labels: CVE-2026-6741 2026-04-27CVE-2026-6741CWE-269[email protected]

Essential information

Published
27/04/2026 20:16
Modified
27/04/2026 20:21
Author
Creator
CVSS
8.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.

NVD status

Status
Deferred — When a CVE is given this status the NVD does not plan analyze or re-analyze this CVE due to resource or other concerns.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
latepoint / calendar booking plugin cpe:2.3:a:latepoint:calendar_booking_plugin:<5.4.1:*:*:*:*:wordpress:*:*

References