Vulnerabilities ›

CVE-2026-6741

High

CWE-269 — Weakness Type

                    Published: Apr 27, 2026                      ·  Modified: May 4, 2026                      ·  Source: NVD                

CVSS v3

8.8

🔗 NVD Official

📄 Description (English)

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.

🤖 AI Executive Summary

CVE-2026-6741 is a critical privilege escalation vulnerability in the LatePoint WordPress booking plugin (versions ≤5.4.1) that allows authenticated agents to link customer records to administrator accounts and reset their passwords, enabling complete site takeover. The vulnerability stems from missing authorization checks in the connect-customer-to-wp-user function. With no patch currently available and the CVSS score of 8.8, this poses an immediate threat to WordPress installations using this plugin across Saudi organizations.

📄 Description (Arabic)

🤖 AI Intelligence Analysis Analyzed: May 1, 2026 04:32

🇸🇦 Saudi Arabia Impact Assessment

This vulnerability poses significant risk to Saudi healthcare providers, beauty salons, fitness centers, and service-based businesses that rely on WordPress booking systems. Government agencies and ARAMCO contractors using appointment scheduling systems are at elevated risk. Banking sector websites offering appointment booking for customer services could be compromised. The vulnerability enables complete administrative access, allowing attackers to steal customer data, modify financial records, inject malware, or conduct further attacks on connected systems. Organizations in the healthcare sector (regulated by MOH) and financial services (regulated by SAMA) face compliance violations and potential data breach notifications.

🏢 Affected Saudi Sectors

Healthcare (MOH-regulated clinics and hospitals) Banking and Financial Services (SAMA-regulated) Government Agencies (NCA oversight) Energy Sector (ARAMCO and contractors) Telecommunications (STC, Mobily, Zain) Hospitality and Tourism Beauty and Wellness Services Fitness and Sports Centers Professional Services (Legal, Consulting) Educational Institutions

🎯 MITRE ATT&CK Techniques

T1078 - Valid Accounts T1078.001 - Default Accounts T1078.002 - Domain Accounts T1078.003 - Local Accounts T1078.004 - Cloud Accounts T1548 - Abuse Elevation Control Mechanism T1548.002 - Bypass User Account Control T1547 - Boot or Logon Autostart Execution T1098 - Account Manipulation T1098.001 - Additional Cloud Credentials T1098.002 - Exchange Email Delegate Permissions T1098.003 - Additional Cloud Roles T1098.004 - SSH Authorized Keys T1110 - Brute Force T1110.001 - Password Guessing T1110.002 - Password Cracking T1110.003 - Password Spraying T1110.004 - Credential Stuffing T1555 - Credentials from Password Stores T1187 - Forced Authentication T1621 - Multi-Factor Authentication Interception T1556 - Modify Authentication Process T1556.006 - Multi-Factor Authentication T1040 - Network Sniffing T1528 - Steal Application Access Token T1111 - Multi-Factor Authentication Interception T1556.001 - Domain Controller Authentication T1556.002 - Password Filter DLL T1556.003 - Pluggable Authentication Modules T1556.004 - Network Device Authentication T1556.005 - Reversible Encryption T1556.007 - Hybrid Identity T1556.008 - Reversible Encryption

⚖️ Saudi Risk Score (AI)

9.2

/ 10.0

🔧 Remediation Steps (English)

IMMEDIATE ACTIONS:

1. Audit all WordPress installations using LatePoint plugin versions ≤5.4.1 across your organization

2. Identify all users with latepoint_agent role and review their recent activities for suspicious account linking

3. Check WordPress user database for unexpected customer-to-admin account linkages

4. Review password reset logs for unauthorized administrator password changes

5. Disable the LatePoint plugin immediately if not critical to operations

COMPENSATING CONTROLS (until patch available):

1. Remove latepoint_agent role from all non-essential users

2. Implement WordPress user role restrictions via security plugins (e.g., User Role Editor)

3. Enable WordPress security logging and monitor for connect-customer-to-wp-user function calls

4. Implement Web Application Firewall (WAF) rules to block requests to /wp-admin/admin-ajax.php with latepoint-specific parameters

5. Enforce strong password policies and multi-factor authentication (MFA) for all administrator accounts

6. Restrict database access to LatePoint tables (wp_latepoint_*) to read-only for agent roles

DETECTION RULES:

1. Monitor WordPress logs for: wp_update_user calls originating from latepoint_agent roles

2. Alert on: password_reset actions for administrator accounts within 24 hours of customer linking

3. Track: wp_usermeta changes linking customer IDs to admin user IDs

4. Monitor: wp-admin/admin-ajax.php requests with action=latepoint_execute and ability=connect-customer-to-wp-user

5. SIEM rule: Detect privilege escalation patterns where agent role modifies admin user metadata

PATCHING STRATEGY:

1. Monitor LatePoint plugin repository for version 5.4.2+ release

2. Prepare isolated test environment for patch validation

3. Schedule immediate patching upon release (within 24 hours)

4. Maintain backup before patching

🔧 خطوات المعالجة (العربية)

الإجراءات الفورية:

1. تدقيق جميع تثبيتات WordPress التي تستخدم مكون LatePoint الإصدارات ≤5.4.1 عبر مؤسستك

2. تحديد جميع المستخدمين الذين لديهم دور latepoint_agent ومراجعة أنشطتهم الأخيرة للبحث عن ربط حسابات مريب

3. التحقق من قاعدة بيانات مستخدمي WordPress للبحث عن ربط حسابات عميل-إلى-مسؤول غير متوقع

4. مراجعة سجلات إعادة تعيين كلمة المرور للبحث عن تغييرات غير مصرح بها لكلمات مرور المسؤول

5. تعطيل مكون LatePoint فوراً إذا لم يكن حرجاً للعمليات

الضوابط التعويضية (حتى توفر التصحيح):

1. إزالة دور latepoint_agent من جميع المستخدمين غير الأساسيين

2. تنفيذ قيود دور مستخدم WordPress عبر مكونات الأمان (مثل User Role Editor)

3. تفعيل تسجيل أمان WordPress ومراقبة استدعاءات وظيفة connect-customer-to-wp-user

4. تنفيذ قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات إلى /wp-admin/admin-ajax.php بمعاملات خاصة بـ LatePoint

5. فرض سياسات كلمات مرور قوية والمصادقة متعددة العوامل (MFA) لجميع حسابات المسؤول

6. تقييد الوصول إلى قاعدة البيانات لجداول LatePoint (wp_latepoint_*) إلى القراءة فقط لأدوار الوكيل

قواعد الكشف:

1. مراقبة سجلات WordPress للبحث عن: استدعاءات wp_update_user من أدوار latepoint_agent

2. التنبيه على: إجراءات password_reset لحسابات المسؤول خلال 24 ساعة من ربط العميل

3. تتبع: تغييرات wp_usermeta التي تربط معرفات العملاء بمعرفات مستخدمي المسؤول

4. مراقبة: طلبات wp-admin/admin-ajax.php مع action=latepoint_execute و ability=connect-customer-to-wp-user

5. قاعدة SIEM: الكشف عن أنماط تصعيد الامتيازات حيث يعدل دور الوكيل بيانات مستخدم المسؤول

استراتيجية التصحيح:

1. مراقبة مستودع مكون LatePoint لإصدار 5.4.2+

2. تحضير بيئة اختبار معزولة للتحقق من صحة التصحيح

3. جدولة التصحيح الفوري عند الإصدار (خلال 24 ساعة)

4. الاحتفاظ بنسخة احتياطية قبل التصحيح

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 - Information Security Policies and Procedures A.6.1.1 - Internal Organization - Access Control A.6.2.1 - User Access Management A.6.2.2 - User Registration and De-registration A.6.2.3 - User Access Rights Review A.9.2.1 - User Identification and Authentication A.9.2.5 - Access Rights Review A.9.4.3 - Password Management System A.12.4.1 - Event Logging A.12.4.3 - Administrator and Operator Logs

🔵 SAMA CSF

Governance.1 - Information Security Governance Governance.2 - Risk Management Protection.1 - Access Control Protection.2 - Authentication and Authorization Protection.5 - Logging and Monitoring Detection.1 - Security Event Monitoring

🟡 ISO 27001:2022

5.15 - Access Control 5.16 - Identification and Authentication 5.17 - Access Rights 5.18 - Information Security in Supplier Relationships 8.2 - Privileged Access Rights 8.3 - Information Access Restriction 8.4 - Access to Cryptography 8.5 - Physical and Environmental Security 8.6 - Operations Security 8.7 - Cryptography 8.8 - Physical Media Handling 8.9 - Removable Media 8.10 - Destruction of Data 8.11 - Data Leakage 8.12 - Data Backup 8.13 - Redundancy of Information Processing Facilities 8.14 - Segregation of Networks 8.15 - Web Filtering 8.16 - Encryption 8.17 - Information Systems Acquisition, Development and Maintenance 8.18 - Supplier Relationships 8.19 - Information Security in Development and Support Processes 8.20 - Testing of Information Systems 8.21 - Change Management 8.22 - Test Information 8.23 - Information Security Incident Management 8.24 - Information Security Aspects of Business Continuity Management 8.25 - Compliance 8.26 - Requirements for Information Systems 8.27 - Secure Development Policy 8.28 - Secure Development Environment 8.29 - Security Testing in Development and Acceptance 8.30 - Outsourced Development 8.31 - Separation of Development, Test and Production Environments 8.32 - Change Management 8.33 - Test Information 8.34 - Protection of Information Systems from Malware 8.35 - Logging 8.36 - Monitoring Activities 8.37 - Clock Synchronization 8.38 - Collection of Evidence

🟣 PCI DSS v4.0.1

Requirement 2 - Default Security Parameters Requirement 6 - Secure Development and Vulnerability Management Requirement 7 - Restrict Access to Cardholder Data Requirement 8 - Identify and Authenticate Access Requirement 10 - Log and Monitor Access to Network Resources

🔗 References & Sources 6

🔗

https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/abilities/customers...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/roles_helpe...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/models/customer_mod...

security@wordfence.com

🔗

https://plugins.trac.wordpress.org/changeset/3514330/latepoint

security@wordfence.com

🔗

https://wordpress.org/plugins/latepoint/

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/71e99412-031e-4f4a-9126-dd3a3...

security@wordfence.com

📊 CVSS Score

8.8

/ 10.0 — High

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityH — High

AvailabilityH — High

📋 Quick Facts

Severity High

CVSS Score8.8

CWECWE-269

EPSS0.05%

Exploit No

Patch ✗ No

Published 2026-04-27

Source Feed nvd

🇸🇦 Saudi Risk Score

9.2

/ 10.0 — Saudi Risk

Priority: CRITICAL

🏷️ Tags

CWE-269

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

💬 Comments

Loading comments

CVE-2026-6741

💬 Comments

Introduce Yourself

Sign In Required