How is CVE-2026-49083 exploited?

Network reachability (required): The attacker must reach the WordPress installation over the network; the vulnerable plugin endpoint is exposed via standard HTTP(S) requests. Authentication (required): A low-privilege account (contributor level) is sufficient; no administrative credentials are needed, but unauthenticated access alone does not trigger the vulnerability. Victim interaction (not-required): No victim action such as clicking a link or opening a file is needed; the attacker can exploit the flaw directly after authenticating. Attack complexity (info): Attack complexity is rated High, meaning the exploit depends on specific conditions such as race conditions, particular configuration states, or environmental factors that the attacker cannot fully control.

What is the impact of CVE-2026-49083?

Attacker elevates their WordPress role beyond contributor, gaining write and administrative access to site content, settings, and installed plugins. With elevated privileges, the attacker reads stored user data, credentials, and any private content held in the WordPress database. The attacker modifies or deletes posts, pages, plugin configurations, and site settings, corrupting persisted application data. Abuse of administrative capabilities can render the WordPress site unavailable, for example by deactivating critical plugins or corrupting core configuration.

Back to search

HIGHCVE-2026-49083Published 2026-06-15Modified 2026-06-15CNA Patchstack

CVE-2026-49083: WordPress LatePoint plugin <= 5.5.1 - Privilege Escalation vulnerability

Q: What is CVE-2026-49083?

An authentication bypass leading to privilege escalation affects the LatePoint WordPress plugin at version 5.5.1 and earlier. The vulnerability is reachable over the network and requires only a low-privilege (contributor-level) account, with no additional victim interaction needed. Successful exploitation allows an attacker to fully compromise confidentiality, integrity, and availability of the affected environment by elevating their privileges beyond the contributor role. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

Q: Is CVE-2026-49083 patched?

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once the upstream patch ships.

Contributor Privilege Escalation in LatePoint <= 5.5.1 versions.

CVSS v3.1: 7.5
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

An authentication bypass leading to privilege escalation affects the LatePoint WordPress plugin at version 5.5.1 and earlier. The vulnerability is reachable over the network and requires only a low-privilege (contributor-level) account, with no additional victim interaction needed. Successful exploitation allows an attacker to fully compromise confidentiality, integrity, and availability of the affected environment by elevating their privileges beyond the contributor role. HarborGuard is tracking this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-49083 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including Patchstack) within minutes of publication and matched against all customer images in connected registries and CI pipelines, including custom-built WordPress images that bundle the LatePoint plugin.

Available

Triage

HarborGuard is capable of scoring this CVE at CVSS 7.5 HIGH and weighting that score against each customer environment's compliance policy to prioritize routing. Findings are surfaced to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention once the upstream patch ships.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the WordPress installation over the network; the vulnerable plugin endpoint is exposed via standard HTTP(S) requests.
AuthenticationRequired
A low-privilege account (contributor level) is sufficient; no administrative credentials are needed, but unauthenticated access alone does not trigger the vulnerability.
Victim interactionNot required
No victim action such as clicking a link or opening a file is needed; the attacker can exploit the flaw directly after authenticating.
Attack complexityDetail
Attack complexity is rated High, meaning the exploit depends on specific conditions such as race conditions, particular configuration states, or environmental factors that the attacker cannot fully control.

Blast Radius

Attacker elevates their WordPress role beyond contributor, gaining write and administrative access to site content, settings, and installed plugins.
With elevated privileges, the attacker reads stored user data, credentials, and any private content held in the WordPress database.
The attacker modifies or deletes posts, pages, plugin configurations, and site settings, corrupting persisted application data.
Abuse of administrative capabilities can render the WordPress site unavailable, for example by deactivating critical plugins or corrupting core configuration.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored across all connected customer environments through continuous advisory re-ingestion from Patchstack and other upstream feeds. Because no upstream fix exists at this time, HarborGuard cannot yet offer a patched-image rebuild; instead, the platform re-checks the advisory on every ingest cycle and will trigger the rebuild-and-PR flow automatically the moment a fix version is published. For customers with auto-remediation enabled, that flow includes a rebuilt image, a regression test run, and a PR opened against affected workloads, with median time from fix publication to merged patch PR for high-severity issues around 90 minutes. In the interim, compensating controls available within HarborGuard-connected environments include network-policy isolation to restrict contributor-accessible plugin endpoints, egress filtering to limit lateral movement from a compromised WordPress host, and flagging any image bundling LatePoint at or below 5.5.1 as non-compliant under custom policy rules.

See how HarborGuard automates this

Affected packages

LatePoint / LatePoint
≤ 5.5.1

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

References

patchstack.com

Metrics

Get notified