No Agency Cube

SEO news from around the world

SEO news

WordPress Calendar Plugin Vulnerability Affects Up To 100k Sites

Avatar photo

ByRose Milev

Mar 3, 2026


Wordfence published an advisory on a vulnerability in the LatePoint – Calendar Booking WordPress Plugin that makes it possible for authenticated attackers with Agent-level access and above to gain higher level privileges. The vulnerability received a CVSS vulnerability threat score of 8.8/10. The issue affects all versions up to and including 5.2.7.

LatePoint WordPress Calendar Plugin

The LatePoint WordPress plugin is used by service-based businesses to enable customers to book appointments online, manage calendars, accept payments, and send confirmations.

Authenticated (Agent+) Privilege Escalation

The vulnerability requires authentication. Attackers must have an account with the LatePoint Agent role or higher. Agent is not an administrator role. It is typically assigned to staff who manage bookings and customer records. On affected sites, that level of access is enough to exploit the flaw.

The vulnerability is due to the plugin allowing users with a LatePoint Agent role, when creating new customers, to set the wordpress_user_id field. The wordpress_user_id field links a LatePoint customer record to a WordPress user account.

The plugin does not restrict which WordPress user ID can be assigned. Because of this, an Agent can create a customer and link it to any existing WordPress user account, including an administrator account. After linking the account, the Agent can reset the password.

According to Wordfence:

“The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the ‘wordpress_user_id’ field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password.”

What Attackers Can Do

This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to an arbitrary user ID and then resetting that user’s password.

Affected Versions And Patch

The vulnerability affects all versions up to and including 5.2.7. The issue has been patched in version 5.2.8. Users of the LatePoint plugin should update to version 5.2.8 or a newer version.

Featured Image by Shutterstock/breakermaximus



Source link

Avatar photo

By Rose Milev

I always want to learn something new. SEO is my passion.

Related Post

SEO news

Builderius WordPress Page Builder Integrates Claude AI

Mar 3, 2026 Rose Milev
SEO news

How To Build An AI SEO Strategy That Outlasts Tactics

Mar 3, 2026 Rose Milev
SEO news

Significant Advancement In Long-Context AI

Mar 3, 2026 Rose Milev

Leave a Reply

Your email address will not be published. Required fields are marked *

You missed

SEO news

WordPress Calendar Plugin Vulnerability Affects Up To 100k Sites

March 3, 2026 Rose Milev
SEO news

Builderius WordPress Page Builder Integrates Claude AI

March 3, 2026 Rose Milev
SEO tools

SEO’s 5 Stages Of Grief (& How To Adapt to AI SEO)

March 3, 2026 Ryan Bullet
SEO news

How To Build An AI SEO Strategy That Outlasts Tactics

March 3, 2026 Rose Milev
This website uses cookies to improve user experience. By continuing to use the site, you consent to the use of cookies.