CVE-2026-8176
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk44th percentile — higher than 44% of all known CVEs
Summary
The LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to and including 5.5.1. The plugin chains three independent flaws that allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without invoking an Administrator-only API.
Risk Assessment
The risk to the organization is that authenticated attackers with Agent access can elevate their privileges to Administrator, potentially leading to unauthorized access to sensitive data and system functions.
Recommendation
It is recommended to update the plugin to the latest version to mitigate this vulnerability and review user permissions to minimize the risk of privilege escalation.
Original NVD description (English source)
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator.

