WordPress plugin allows attackers to gain admin access via password reset

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

8.8

WordPress plugin allows attackers to gain admin access via password reset

CVE-2026-1566

Summary

A security flaw in the LatePoint plugin for WordPress allows hackers with a specific role to gain administrator access by manipulating user accounts. This could allow them to access sensitive data and take control of the website. Update the plugin to the latest version to fix this issue.

Original title

Original description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePoint Agent role, who are creating new customers to set the 'wordpress_user_id' field. This makes it possible for authenticated attackers, with Agent-level access and above, to gain elevated privileges by linking a customer to the arbitrary user ID, including administrators, and then resetting the password.

nvd CVSS3.1 8.8

Vulnerability type

CWE-269 Improper Privilege Management

Published: 3 Mar 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026