CVE-2026-13228
LatePoint · Calendar Booking Plugin
The LatePoint Calendar Booking plugin for WordPress is vulnerable to privilege escalation, allowing attackers to gain unauthorized administrative access.
Executive summary
A critical privilege escalation vulnerability in the LatePoint WordPress plugin enables attackers to elevate their access to administrative levels, posing a severe threat to site integrity.
Vulnerability
This is a privilege escalation vulnerability affecting versions 5 and below. The flaw allows an attacker to manipulate plugin functions to gain administrative privileges, likely requiring basic user interaction or a lack of proper capability checks in the plugin's authentication logic.
Business impact
The CVSS score of 8.8 highlights the critical nature of this vulnerability. An attacker who successfully escalates their privileges to an administrator can gain full control over the WordPress instance, potentially leading to complete data exfiltration, unauthorized content modification, or the injection of malicious backdoors into the hosting environment.
Remediation
Immediate Action: Immediately update the LatePoint plugin to the latest version. If a patch is unavailable, deactivate or remove the plugin until a secure version is confirmed.
Proactive Monitoring: Audit WordPress user accounts for unauthorized administrative accounts or suspicious activity logs suggesting privilege changes.
Compensating Controls: Utilize a Web Application Firewall (WAF) to block suspicious requests targeting plugin-specific endpoints and implement strict file integrity monitoring.
Exploitation status
Public Exploit Available: false
Analyst recommendation
Privilege escalation vulnerabilities in plugins are frequently targeted by automated attacks. Security teams must act immediately to verify the status of their LatePoint installation. If the plugin cannot be updated, it should be removed from the production environment to prevent total site takeover.