PT-2026-54627 · WordPress · Latepoint
D.V4N_S3C
·
Published
2026-07-01
·
Updated
2026-07-01
·
CVE-2026-13228
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
LatePoint – Calendar Booking Plugin for Appointments and Events versions prior to 5.6.4
Description
An Insecure Direct Object Reference (IDOR) exists in the
create or update() function of OsOrdersController. This allows an authenticated Agent to provide an arbitrary order[customer id] and overwrite the email field of any customer, including those linked to WordPress Administrator accounts, via the public-scope set data() call. Due to a missing role verification in OsAuthHelper::authorize customer(), the linked WordPress user is logged in without a role check, enabling attackers with Agent-level access or higher to elevate their privileges to Administrator.Recommendations
Update the plugin to version 5.6.4 or later.
Fix
LPE
Improper Privilege Management
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Latepoint