WordPress · Latepoint · CVE-2026-6741
**Name of the Vulnerable Software and Affected Versions**
LatePoint – Calendar Booking Plugin for Appointments and Events versions prior to 5.4.2
**Description**
A privilege escalation issue exists due to a missing authorization check in the `execute()` function of the connect-customer-to-wp-user ability. The system only requires the `customer edit` capability, which is granted to the `latepoint agent` role by default, but fails to verify if the target WordPress user ID belongs to a privileged account. This allows authenticated attackers with the `latepoint agent` role to link a LatePoint customer record to an administrator account and reset the administrator's password through the standard customer password-reset process, leading to a full site takeover.
**Recommendations**
Update the plugin to a version later than 5.4.1.