CVE-2026-1566

Name of the Vulnerable Software and Affected Versions LatePoint – Calendar Booking Plugin for Appointments and Events versions through 5.2.7

Description The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is susceptible to privilege escalation through a flaw in the password reset functionality. The issue stems from the plugin permitting users with a LatePoint Agent role, while creating new customers, to define the wordpress user id field. This allows authenticated attackers possessing Agent-level access or higher to obtain elevated privileges by associating a customer with an arbitrary user ID, potentially including administrators, and subsequently resetting the password. The wordpress user id field is used to link a customer to a WordPress user account.

Recommendations Versions prior to 5.2.7 should be updated to address this issue.