CVE-2026-49083

Vulnerability

The LatePoint WordPress plugin, version 5.5.1 and earlier, contains a privilege escalation vulnerability that allows a user with a contributor-level account to escalate their privileges to a higher level. This issue arises from insufficient access control checks in the plugin's code, enabling lower-privileged users to perform actions reserved for higher roles [1].

Exploitation

An attacker must have a valid contributor-level account on a WordPress site running an affected version of LatePoint. No other special network position or user interaction is required; the attacker can directly exploit the vulnerability through normal authenticated requests to escalate their privileges [1].

Impact

Successful exploitation allows the attacker to gain elevated privileges, potentially up to administrator level. With higher privileges, the attacker can take full control of the website, including modifying content, installing malicious plugins, creating new admin accounts, and exfiltrating sensitive data. This leads to a complete compromise of the site's confidentiality, integrity, and availability [1].

Mitigation

Update to LatePoint version 5.5.2 or later, which resolves the vulnerability. Patchstack has also provided a mitigation rule that blocks attack attempts until the update is applied. Users are advised to apply the update immediately; if unable, enable auto-updates for vulnerable plugins through Patchstack [1].