CVE-2026-1566 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: March 3, 2026
LatePoint Calendar Booking Plugin - Privilege Escalation
Overview
LatePoint Calendar Booking Plugin for WordPress <= 5.2.7 contains a privilege escalation caused by improper handling of 'wordpress_user_id' field by users with Agent role, letting authenticated attackers with Agent-level access escalate privileges via password reset.
Severity & Score
Impact
Authenticated attackers with Agent-level access can escalate privileges to administrator by linking customers to arbitrary user IDs and resetting passwords.
Mitigation
Update to the latest version beyond 5.2.7.
References
Social Media Activity(2 posts)
š CVE-2026-1566 - High (8.8) The LatePoint ā Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 5.2.7. This is due to the plugin allowing users with a LatePo... š https://www.thehackerwire.com/vulnerability/CVE-2026-1566/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š© CVE-2026-1566 (HIGH): LatePoint WordPress plugin lets Agent users reset admin passwords ā leads to full privilege escalation. All versions up to 5.2.7 affected. Restrict Agent roles & monitor now. https://radar.offseq.com/threat/cve-2026-1566-cwe-269-improper-privilege-managemen-02d5d7d7 #OffSeq #WordPress #Vuln #Infosec
View original postRelated Resources
Details
- CVE ID
- CVE-2026-1566
- Severity
- High
- CVSS Score
- 8.8
- Type
- broken_access_control
- Status
- unconfirmed
- EPSS
- 3.9%
- Social Posts
- 2
CWE
- CWE-269
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H