Etavrian
keyboard_arrow_right Created with Sketch.
News
keyboard_arrow_right Created with Sketch.
New WordPress Booking Plugin Flaw Lets Staff Hijack Admin Accounts - Are You Exposed?

New WordPress Booking Plugin Flaw Lets Staff Hijack Admin Accounts - Are You Exposed?

Author:
Etavrian AI
Reviewed:
Andrii Daniv
2
min read
Mar 3, 2026
WordPress security dashboard showing password reset alert and hidden booking access escalating to admin

Security firm Wordfence recently disclosed a high severity vulnerability in the LatePoint calendar booking plugin for WordPress, affecting up to 100,000 sites that use the tool for appointment scheduling, according to reporting by Search Engine Journal.

WordPress Calendar Plugin Vulnerability Affects Up To 100k Sites
LatePoint calendar plugin vulnerability reportedly affects up to 100,000 WordPress sites.

WordPress calendar plugin vulnerability: Key details

According to the security advisory, the LatePoint - Calendar Booking plugin contains a privilege escalation flaw that allows authenticated users with LatePoint "Agent" access or higher to gain elevated WordPress privileges. Wordfence rated the issue 8.8 out of 10 on the CVSS severity scale.

The flaw affects all LatePoint versions up to and including 5.2.7. Version 5.2.8 is reported to contain a fix. The plugin is widely used by service-based businesses to manage online bookings and related workflows.

  • The affected product is the LatePoint - Calendar Booking Plugin for Appointments and Events for WordPress.
  • The vulnerability involves misuse of the wordpress_user_id field when LatePoint Agents create new customer records.
  • The plugin does not limit which WordPress user ID can be linked through this field.
  • An Agent-level user can link a LatePoint customer record to any existing WordPress account, including an administrator account.
  • After linking, the attacker can reset the associated WordPress user's password through the plugin's customer workflow.
  • Wordfence states this behavior makes privilege escalation possible for authenticated attackers with Agent-level access and above.

This chain of actions can ultimately allow an attacker to take over higher-privileged accounts, including site administrators, on affected installations.

Background context

LatePoint is a WordPress plugin that allows businesses to accept online bookings, manage staff schedules, send booking confirmations and updates, and process payments. It integrates these features into WordPress sites used for appointment-based services.

According to published reporting, LatePoint is installed on up to 100,000 WordPress sites. The LatePoint "Agent" role is typically assigned to staff who manage bookings and customer records, not site administrators. On vulnerable versions, that role provides enough access to abuse the wordpress_user_id linkage and trigger the reported password reset behavior.

Wordfence describes the issue as a privilege escalation via password reset affecting all versions up to 5.2.7. The firm identifies LatePoint version 5.2.8 as the release that patches this behavior, so updating the plugin to 5.2.8 or later is reported to close the vulnerability.

Source citations

  • Wordfence advisory on the LatePoint authenticated Agent privilege escalation vulnerability.
  • Coverage of the vulnerability and affected install base by Roger Montti at Search Engine Journal.
Quickly summarize and get insighs with: 
Author
Etavrian AI
Etavrian AI is developed by Andrii Daniv to produce and optimize content for etavrian.com website.
Reviewed
Andrew Daniv, Andrii Daniv
Andrii Daniv
Andrii Daniv is the founder and owner of Etavrian, a performance-driven agency specializing in PPC and SEO services for B2B and e‑commerce businesses.
Quickly summarize and get insighs with: 
Table of contents
Table of contents

More articles

Minimalist illustration of long term AI memory tower with orbiting UI elements and toggleTitans And MIRAS: How Google's New AI Memory Beat GPT-4 On A Long-Context Test
2
min read
Website security dashboard hidden admin backdoor toggle flipped cracked shield person fixes risk reportCritical WordPress Plugin Flaw Lets Attackers Create Admin Accounts - Are You Exposed?
2
min read
Minimalist website builder interface with alert badge cracked shield and person toggling security patchCritical Page Builder by SiteOrigin flaw puts 500,000 WordPress sites at risk - are you patched?
2
min read
Minimalist AI landing page router funnel with scoring dashboard toggle and person reviewing metricsNew Google Patent Hints At AI Landing Pages That Could Rewrite Shopping Ad Experiences
3
min read
logo
Ready to speak with a
marketing expert?
Book a call
Services
SEO servicesGoogle Ads servicesMeta Ads servicesContent Marketing services
Company
About UsContact UsIndustriesOur Mission
Resources
NewsBlogCase studies
© 2025 Etavrian. All Rights Reserved.
Privacy Policy & Terms of Use
LinkedInFacebookTwitter