CVE-2026-6741

Name of the Vulnerable Software and Affected Versions LatePoint – Calendar Booking Plugin for Appointments and Events versions prior to 5.4.2

Description A privilege escalation issue exists due to a missing authorization check in the execute() function of the connect-customer-to-wp-user ability. The system only requires the customer edit capability, which is granted to the latepoint agent role by default, but fails to verify if the target WordPress user ID belongs to a privileged account. This allows authenticated attackers with the latepoint agent role to link a LatePoint customer record to an administrator account and reset the administrator's password through the standard customer password-reset process, leading to a full site takeover.

Recommendations Update the plugin to a version later than 5.4.1.