PT-2026-54627 · WordPress · Latepoint

D.V4N_S3C

·

Published

2026-07-01

·

Updated

2026-07-01

·

CVE-2026-13228

CVSS v3.1

8.8

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions LatePoint – Calendar Booking Plugin for Appointments and Events versions prior to 5.6.4
Description An Insecure Direct Object Reference (IDOR) exists in the create or update() function of OsOrdersController. This allows an authenticated Agent to provide an arbitrary order[customer id] and overwrite the email field of any customer, including those linked to WordPress Administrator accounts, via the public-scope set data() call. Due to a missing role verification in OsAuthHelper::authorize customer(), the linked WordPress user is logged in without a role check, enabling attackers with Agent-level access or higher to elevate their privileges to Administrator.
Recommendations Update the plugin to version 5.6.4 or later.

Fix

LPE

Improper Privilege Management

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-13228

Affected Products

Latepoint