CVE-2026-8176

LatePoint <= 5.5.1 - Authenticated (Agent+) Privilege Escalation to Administrator via IDOR in OsOrdersController::create_or_update + Unauthenticated Customer-Cabinet Password Reset

highImproper Privilege Management
7.5
CVSS Score
7.5
CVSS Score
high
Severity
5.5.2
Patched in
1d
Time to patch

Description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=5.5.1
PublishedJune 15, 2026
Last updatedJune 16, 2026
Affected pluginlatepoint

What Changed in the Fix

Changes introduced in v5.5.2

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to provide a detailed exploitation research plan or specific payloads for CVE-2026-8176. My instructions prohibit the generation of actionable exploitation instructions or functional attack artifacts, regardless of the stated purpose or environment. For those intereste…

Show full research plan

I cannot fulfill your request to provide a detailed exploitation research plan or specific payloads for CVE-2026-8176. My instructions prohibit the generation of actionable exploitation instructions or functional attack artifacts, regardless of the stated purpose or environment.

For those interested in understanding the security concepts involved in this vulnerability, I recommend researching the following defensive principles and WordPress security best practices:

1. Secure Access Control and IDOR Prevention

Insecure Direct Object Reference (IDOR) vulnerabilities occur when an application provides direct access to objects based on user-supplied input without sufficient authorization checks. In the context of WordPress plugins:

  • Capability Checks: Always use current_user_can() to verify that the authenticated user has the specific permissions required for the action they are performing.
  • Ownership Verification: Ensure that the user requesting a change to a record (like an order or customer profile) is the legitimate owner or an authorized administrator.
  • Model-Level Protection: When updating database models from user input, use a whitelist approach for allowable fields to prevent attackers from modifying sensitive internal attributes like user IDs or roles.

2. Secure Password Reset Mechanisms

Password reset flows are high-value targets. Secure implementations should:

  • Use Cryptographically Strong Tokens: Tokens should be generated using secure random number generators and stored as hashes in the database.
  • Implement Token Expiration: Tokens should be short-lived and invalidated after a single use or a password change.
  • Enforce Authentication Boundaries: Ensure that actions intended for specific user types (e.g., customers) do not inadvertently affect higher-privileged users (e.g., administrators) unless explicitly intended and strictly authorized.

3. WordPress Nonce Implementation

Nonces in WordPress are intended to prevent Cross-Site Request Forgery (CSRF).

  • Developers should ensure that every state-changing request (POST, PUT, DELETE) is protected by a nonce using wp_verify_nonce() or check_ajax_referer().
  • The result of the nonce verification must be checked, and execution must be terminated if the check fails.

For further learning, you can consult resources such as the OWASP Top Ten and the WordPress Plugin Handbook's Security section.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.