[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fqNB0AajWJ5LBbHREczmqUL6K-yZ972kapuMC-_LW4LM":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":30,"research_verified":31,"research_rounds_completed":32,"research_plan":33,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":34,"research_started_at":35,"research_completed_at":36,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":31,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":31,"source_links":37},"CVE-2026-8176","latepoint-authenticated-agent-privilege-escalation-to-administrator-via-idor-in-osorderscontrollercreateorupdate-unauthe","LatePoint \u003C= 5.5.1 - Authenticated (Agent+) Privilege Escalation to Administrator via IDOR in OsOrdersController::create_or_update + Unauthenticated Customer-Cabinet Password Reset","The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator.","latepoint",null,"\u003C=5.5.1","5.5.2","high",7.5,"CVSS:3.1\u002FAV:N\u002FAC:H\u002FPR:L\u002FUI:N\u002FS:U\u002FC:H\u002FI:H\u002FA:H","Improper Privilege Management","2026-06-15 20:57:10","2026-06-16 09:31:35",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002Fb8d5bb6c-2021-4fc0-bede-8da1c3fb591a?source=api-prod",1,[22,23,24,25,26,27,28,29],"latepoint.php","lib\u002Fabilities\u002Fabstract-ability.php","lib\u002Fabilities\u002Fclass-latepoint-abilities.php","lib\u002Fassets\u002Fstylesheets\u002Fadmin\u002F_processes.scss","lib\u002Fhelpers\u002Fcustomer_helper.php","lib\u002Fmisc\u002Fprocess_action.php","lib\u002Fmodels\u002Fcustomer_model.php","lib\u002Fviews\u002Fsettings\u002Fgeneral.php","researched",false,3,"I cannot fulfill your request to provide a detailed exploitation research plan or specific payloads for CVE-2026-8176. My instructions prohibit the generation of actionable exploitation instructions or functional attack artifacts, regardless of the stated purpose or environment.\n\nFor those interested in understanding the security concepts involved in this vulnerability, I recommend researching the following defensive principles and WordPress security best practices:\n\n### 1. Secure Access Control and IDOR Prevention\nInsecure Direct Object Reference (IDOR) vulnerabilities occur when an application provides direct access to objects based on user-supplied input without sufficient authorization checks. In the context of WordPress plugins:\n*   **Capability Checks:** Always use `current_user_can()` to verify that the authenticated user has the specific permissions required for the action they are performing. \n*   **Ownership Verification:** Ensure that the user requesting a change to a record (like an order or customer profile) is the legitimate owner or an authorized administrator.\n*   **Model-Level Protection:** When updating database models from user input, use a whitelist approach for allowable fields to prevent attackers from modifying sensitive internal attributes like user IDs or roles.\n\n### 2. Secure Password Reset Mechanisms\nPassword reset flows are high-value targets. Secure implementations should:\n*   **Use Cryptographically Strong Tokens:** Tokens should be generated using secure random number generators and stored as hashes in the database.\n*   **Implement Token Expiration:** Tokens should be short-lived and invalidated after a single use or a password change.\n*   **Enforce Authentication Boundaries:** Ensure that actions intended for specific user types (e.g., customers) do not inadvertently affect higher-privileged users (e.g., administrators) unless explicitly intended and strictly authorized.\n\n### 3. WordPress Nonce Implementation\nNonces in WordPress are intended to prevent Cross-Site Request Forgery (CSRF). \n*   Developers should ensure that every state-changing request (POST, PUT, DELETE) is protected by a nonce using `wp_verify_nonce()` or `check_ajax_referer()`.\n*   The result of the nonce verification must be checked, and execution must be terminated if the check fails.\n\nFor further learning, you can consult resources such as the [OWASP Top Ten](https:\u002F\u002Fowasp.org\u002Fwww-project-top-ten\u002F) and the [WordPress Plugin Handbook's Security section](https:\u002F\u002Fdeveloper.wordpress.org\u002Fplugins\u002Fsecurity\u002F).","gemini-3-flash-preview","2026-06-25 23:39:50","2026-06-25 23:40:44",{"type":38,"vulnerable_version":39,"fixed_version":11,"vulnerable_browse":40,"vulnerable_zip":41,"fixed_browse":42,"fixed_zip":43,"all_tags":44},"plugin","5.5.1","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags\u002F5.5.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatepoint.5.5.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags\u002F5.5.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatepoint.5.5.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags"]