CVE-2026-7652

Name of the Vulnerable Software and Affected Versions LatePoint versions prior to 5.5.1

Description A weak password recovery mechanism in the unauthenticated guest booking flow allows for account takeover. The save connected wordpress user() function uses wp update user() to propagate a customer's email address to a linked WordPress user account without ownership verification. This, combined with the ability to overwrite a customer's email through phone-based merge without authentication, allows unauthenticated attackers to change the email address of a non-super-admin WordPress user account not yet linked to a LatePoint customer. Attackers can then trigger the standard WordPress password-reset flow to an address they control. This occurs when the plugin has WordPress user integration enabled, phone-based contact merging active, and customer authentication disabled.

Recommendations Update to a version later than 5.5.0. As a temporary mitigation, disable WordPress user integration, phone-based contact merging, or enable customer authentication.