CVE-2026-8176: LatePoint <= 5.5.1 - Authenticated (Agent+) Privilege Escalation to Administrator via IDOR in OsOrdersController::create_or_update + Unauthenticated Customer-Cabinet Password Reset
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
This is a privilege escalation vulnerability in the LatePoint Calendar Booking Plugin for WordPress, affecting versions up to and including 5.5.1. An authenticated attacker with at least Agent-level access can exploit a chain of three flaws, including an Insecure Direct Object Reference (IDOR) in the orders controller and an unauthenticated password reset in the customer cabinet, to overwrite a WordPress Administrator's password without using any admin-restricted API. Successful exploitation gives the attacker full Administrator access to the WordPress site, enabling complete control over site content, users, and configuration. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection for CVE-2026-8176 is available across every HarborGuard environment; the CVE is ingested from upstream feeds, including the Wordfence advisory, within minutes of publication and matched against customer images, including custom-built WordPress images that bundle the LatePoint plugin. Any image containing the affected plugin at version 5.5.1 or below is flagged automatically.
AvailableHarborGuard is capable of scoring this finding at CVSS 7.5 HIGH and weighting it against each customer environment's compliance policy to determine urgency. Triage results are routed to the appropriate team inbox within each customer organization based on configured ownership rules.
AvailableBecause no upstream fix has been published as of the CVE record date, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix version is released. In the interim, customers with auto-remediation enabled will receive compensating-control guidance, such as network-policy isolation for the affected service, as part of the triage output.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress site over the network; the vulnerability is exposed via standard HTTP endpoints with no requirement for local or physical access.
- AuthenticationRequired
The attacker must hold at least an Agent-level account in LatePoint; any low-privilege Agent credential is sufficient to begin the exploit chain.
- Victim interactionNot required
No victim action, such as clicking a link or visiting a page, is needed; the attacker drives the full exploit chain server-side without any user participation.
- Attack complexityDetail
Attack complexity is rated High, meaning the exploit chain depends on specific conditions or sequencing across the three chained flaws, making it less reliably repeatable than a single-step exploit.
Blast Radius
- Attacker overwrites a WordPress Administrator account password, taking full ownership of that account.
- Attacker gains Administrator-level access to the WordPress dashboard, able to install or modify plugins and themes, alter site content, and change site configuration.
- With Administrator access, the attacker reads all data stored in the WordPress database, including user records, session tokens, and any personal or transactional data managed by LatePoint.
- The attacker can create, modify, or delete any WordPress content, users, or settings, effectively taking over the entire site.
How HarborGuard Handles This
Available on HarborGuard: because no upstream fix currently exists for CVE-2026-8176, HarborGuard monitors the Wordfence advisory and the LatePoint plugin release feed on every ingest cycle. The moment a patched version is published, a rebuilt image at that fix version becomes available, and customers with auto-remediation enabled receive a rebuild, a regression-test run, and a PR opened against affected workloads automatically. While no patch is available, customers can apply compensating controls: restrict network access to WordPress admin and LatePoint AJAX endpoints using ingress network policy; enforce egress filtering to limit lateral movement if an account is compromised; and consider disabling the LatePoint customer cabinet password reset feature via a feature flag or WAF rule if the plugin supports that configuration. HarborGuard will surface these control suggestions in the triage output for any environment where the affected image is present.
- latepoint / LatePoint – Calendar Booking Plugin for Appointments and Events≤ 5.5.1
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H- wordfence.com
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org
- plugins.trac.wordpress.org