CVE Catalog

CVE-2026-8176

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.61%

44th percentile — higher than 44% of all known CVEs

Summary

The LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to and including 5.5.1. The plugin chains three independent flaws that allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without invoking an Administrator-only API.

Risk Assessment

The risk to the organization is that authenticated attackers with Agent access can elevate their privileges to Administrator, potentially leading to unauthorized access to sensitive data and system functions.

Recommendation

It is recommended to update the plugin to the latest version to mitigate this vulnerability and review user permissions to minimize the risk of privilege escalation.

Original NVD description (English source)

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS