Security firm Wordfence recently disclosed a high severity vulnerability in the LatePoint calendar booking plugin for WordPress, affecting up to 100,000 sites that use the tool for appointment scheduling, according to reporting by Search Engine Journal.
WordPress calendar plugin vulnerability: Key details
According to the security advisory, the LatePoint - Calendar Booking plugin contains a privilege escalation flaw that allows authenticated users with LatePoint "Agent" access or higher to gain elevated WordPress privileges. Wordfence rated the issue 8.8 out of 10 on the CVSS severity scale.
The flaw affects all LatePoint versions up to and including 5.2.7. Version 5.2.8 is reported to contain a fix. The plugin is widely used by service-based businesses to manage online bookings and related workflows.
- The affected product is the LatePoint - Calendar Booking Plugin for Appointments and Events for WordPress.
- The vulnerability involves misuse of the
wordpress_user_idfield when LatePoint Agents create new customer records. - The plugin does not limit which WordPress user ID can be linked through this field.
- An Agent-level user can link a LatePoint customer record to any existing WordPress account, including an administrator account.
- After linking, the attacker can reset the associated WordPress user's password through the plugin's customer workflow.
- Wordfence states this behavior makes privilege escalation possible for authenticated attackers with Agent-level access and above.
This chain of actions can ultimately allow an attacker to take over higher-privileged accounts, including site administrators, on affected installations.
Background context
LatePoint is a WordPress plugin that allows businesses to accept online bookings, manage staff schedules, send booking confirmations and updates, and process payments. It integrates these features into WordPress sites used for appointment-based services.
According to published reporting, LatePoint is installed on up to 100,000 WordPress sites. The LatePoint "Agent" role is typically assigned to staff who manage bookings and customer records, not site administrators. On vulnerable versions, that role provides enough access to abuse the wordpress_user_id linkage and trigger the reported password reset behavior.
Wordfence describes the issue as a privilege escalation via password reset affecting all versions up to 5.2.7. The firm identifies LatePoint version 5.2.8 as the release that patches this behavior, so updating the plugin to 5.2.8 or later is reported to close the vulnerability.
Source citations
- Wordfence advisory on the LatePoint authenticated Agent privilege escalation vulnerability.
- Coverage of the vulnerability and affected install base by Roger Montti at Search Engine Journal.
Inside Google's Universal Commerce Protocol that lets AI agents tap carts, catalogs and loyalty pricing
Google quietly upgrades AI shopping protocol: what Cart, Catalog and Identity Linking change next
Google and DocMorris Launch AI Health Companion for Europe - What Changes Next
Worried About Endless 404 Reports In Search Console? John Mueller Reveals What They Really Mean.svg)
