CVE-2026-13228

LatePoint · Calendar Booking Plugin

The LatePoint Calendar Booking plugin for WordPress is vulnerable to privilege escalation, allowing attackers to gain unauthorized administrative access.

Executive summary

A critical privilege escalation vulnerability in the LatePoint WordPress plugin enables attackers to elevate their access to administrative levels, posing a severe threat to site integrity.

Vulnerability

This is a privilege escalation vulnerability affecting versions 5 and below. The flaw allows an attacker to manipulate plugin functions to gain administrative privileges, likely requiring basic user interaction or a lack of proper capability checks in the plugin's authentication logic.

Business impact

The CVSS score of 8.8 highlights the critical nature of this vulnerability. An attacker who successfully escalates their privileges to an administrator can gain full control over the WordPress instance, potentially leading to complete data exfiltration, unauthorized content modification, or the injection of malicious backdoors into the hosting environment.

Remediation

Immediate Action: Immediately update the LatePoint plugin to the latest version. If a patch is unavailable, deactivate or remove the plugin until a secure version is confirmed.

Proactive Monitoring: Audit WordPress user accounts for unauthorized administrative accounts or suspicious activity logs suggesting privilege changes.

Compensating Controls: Utilize a Web Application Firewall (WAF) to block suspicious requests targeting plugin-specific endpoints and implement strict file integrity monitoring.

Exploitation status

Public Exploit Available: false

Analyst recommendation

Privilege escalation vulnerabilities in plugins are frequently targeted by automated attacks. Security teams must act immediately to verify the status of their LatePoint installation. If the plugin cannot be updated, it should be removed from the production environment to prevent total site takeover.