CVE-2026-49083

LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.5.1 - Authenticated (Contributor+) Privilege Escalation

highIncorrect Privilege Assignment
8.8
CVSS Score
8.8
CVSS Score
high
Severity
5.5.2
Patched in
6d
Time to patch

Description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation in all versions up to, and including, 5.5.1. This makes it possible for authenticated attackers, with Contributor-level access and above, to elevate their privileges to that of an administrator.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
High
Confidentiality
High
Integrity
High
Availability

Technical Details

Affected versions<=5.5.1
PublishedJune 5, 2026
Last updatedJune 10, 2026
Affected pluginlatepoint

What Changed in the Fix

Changes introduced in v5.5.2

Loading patch diff...

Source Code

WordPress.org SVN
Research Plan
Unverified

permission )` and `$this->permission` is `manage_options`. And if `OsRolesHelper::can_user` is buggy. The "Contributor+" requirement is interesting. Why Contributor? In LatePoint, Contributors/Authors are often the "Agents". Only Agents/Managers/Admins have access to the LatePoint b…

Show full research plan

permission )and$this->permissionismanage_options. And if OsRolesHelper::can_user` is buggy.

The "Contributor+" requirement is interesting. Why Contributor?
In LatePoint, Contributors/Authors are often the "Agents".
Only Agents/Managers/Admins have access to the LatePoint backend in the WP Admin.
If the vulnerability requires access to the LatePoint admin scripts to get the nonce or trigger the route.

Let's stick to the most robust path for a PoC:
**Abusing `agents__save` to become LatePoint Admin, then abusing LatePoint Admin status to escalate WP role.**

*   `latepoint_route_call` AJAX action.
*   `route` parameter: `agents__save`.
*   `agent[id]`: The ID of the current user's agent record.
*   `agent[role]`: Set to `admin`.
*   `_wpnonce`: The nonce for `latepoint_route_call`.

*   `latepoint_route_call` AJAX action.
*   `route` parameter: `settings__update`.
*   `settings[allow_customer_registration]=on`
*   `settings[customer_wp_user_role]=administrator`
*   `_wpnonce`: The nonce.

*   Register a new account. It will be an Administrator.

*   V

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.