CVE-2026-8176
Description
LatePoint plugin up to 5.5.1 allows authenticated Agents to escalate to Administrator by chaining three flaws to overwrite admin password.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
LatePoint plugin up to 5.5.1 allows authenticated Agents to escalate to Administrator by chaining three flaws to overwrite admin password.
Vulnerability
The LatePoint Calendar Booking Plugin for WordPress versions up to and including 5.5.1 contains a privilege escalation vulnerability that chains three independent flaws. The plugin exposes the continue_order_intent and continue_transaction_intent actions as public endpoints [1][3], allowing any authenticated user with Agent+ access to manipulate order intents. Through a sequence of steps, an attacker can overwrite a WordPress Administrator's password without invoking any Administrator-only API, thereby escalating privileges to Administrator.
Exploitation
An attacker needs an authenticated account with at least Agent (Agent+) access. By crafting requests to the public continue_order_intent and continue_transaction_intent endpoints, the attacker can exploit the flawed logic to modify order intents in a way that leads to overwriting an Administrator's password. The exact sequence involves sending specially crafted parameters to these endpoints, leveraging the lack of proper authorization checks on the underlying functions [2][4].
Impact
Successful exploitation allows the attacker to gain Administrator-level privileges on the WordPress site. This results in full control over the site, including the ability to modify content, install plugins, change user roles, and exfiltrate data. The confidentiality, integrity, and availability of the site are completely compromised.
Mitigation
As of the publication date of this CVE, no official patch has been released by the plugin vendor. Users are advised to restrict the use of Agent-level accounts to trusted users only and to monitor for any suspicious activity. The plugin should be updated as soon as a fixed version becomes available. If no fix is forthcoming, consider disabling the plugin or replacing it with an alternative.
- https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/orders_controller.php#L124
- https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/orders_controller.php#L100
- https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/orders_controller.php#L100
- https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/orders_controller.php#L124
AI Insight generated on Jun 16, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<=5.5.1+ 1 more
- (no CPE)range: <=5.5.1
- (no CPE)range: <=5.5.1
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing authorization checks on customer-to-WP-user connection endpoints combined with insufficient mass-assignment scoping allow an Agent+ attacker to overwrite an Administrator's password."
Attack vector
An authenticated attacker with Agent+ privileges exploits three chained flaws: (1) the `connect_to_wp_user()` or `disconnect_from_wp_user()` endpoints lack proper capability checks, allowing an Agent to link a customer record to an arbitrary WordPress user ID; (2) the `update()` method's mass-assignment scope check (`OsAuthHelper::is_admin_logged_in()`) can be bypassed because the Agent is not an admin but the scope restriction is only applied on the `wordpress_user_id` field; (3) by linking a customer to an existing Administrator's WordPress user ID and then updating the customer's password field, the attacker overwrites the Administrator's password. The attack is performed over HTTP POST requests with valid nonces, requiring no Administrator-level API calls.
Affected code
The vulnerability chain resides in `customers_controller.php` (the `update()` method at line 342 and surrounding code) and the `OsCustomerModel` mass-assignment logic. The `update()` method uses `set_data()` with a scope that depends on `OsAuthHelper::is_admin_logged_in()`, but an Agent+ attacker can manipulate the `wordpress_user_id` field through a separate customer-to-WP-user connection endpoint, ultimately overwriting an Administrator's password without invoking an Administrator-only API.
What the fix does
The advisory does not provide a patch diff, but the recommended fix is to enforce proper capability checks on the customer-to-WP-user connection endpoints and to ensure that the `wordpress_user_id` field is never writable by non-Administrator roles, regardless of the scope returned by `OsAuthHelper::is_admin_logged_in()`. Additionally, the `update()` method should validate that the authenticated user has the correct role before allowing any mass-assignment of sensitive fields.
Preconditions
- authAttacker must be authenticated with at least Agent+ role in the LatePoint plugin.
- configThe target WordPress site must have at least one Administrator user whose password can be overwritten.
- inputThe attacker must know or be able to guess the Administrator's WordPress user ID.
Generated on Jun 16, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
22- plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customers_controller.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/customer_helper.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/models/customer_model.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/customer_cabinet_controller.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/customer_cabinet_controller.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/customers_controller.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/orders_controller.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/orders_controller.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/helpers/customer_helper.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/models/customer_model.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customers_controller.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/orders_controller.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/orders_controller.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/customer_helper.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/trunk/lib/models/customer_model.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/trunk/lib/models/customer_model.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- www.wordfence.com/threat-intel/vulnerabilities/id/b8d5bb6c-2021-4fc0-bede-8da1c3fb591anvd
News mentions
0No linked articles in our index yet.