CVE-2026-6741: WordPress LatePoint Plugin Privilege Escalation

/HIGH /CVSS 8.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severityprivilege-escalationcwe-269
CVE-2026-6741: WordPress LatePoint Plugin Privilege Escalation

The National Vulnerability Database reports a critical privilege escalation vulnerability, CVE-2026-6741, affecting the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress, in versions up to and including 5.4.1. This flaw stems from a missing authorization check within the execute() method of the connect-customer-to-wp-user ability.

Attackers who possess the latepoint_agent role can exploit this by linking any LatePoint customer record to an existing administrator’s WordPress account. Crucially, the system fails to verify if the target WordPress user ID belongs to a privileged account. This bypass allows the attacker to then leverage the standard customer password-reset flow for the now-linked administrator account, culminating in a full site takeover.

The National Vulnerability Database assigns this vulnerability a CVSS score of 8.8 (HIGH), underscoring the severe impact of this access bypass. The lack of proper authorization control (CWE-269) is a classic vector for such attacks, turning a low-privileged user into a site administrator with minimal effort.

What This Means For You

  • If your organization utilizes the LatePoint – Calendar Booking Plugin for Appointments and Events on your WordPress sites, assume compromise potential. Immediately audit your LatePoint installations to identify versions up to 5.4.1. Prioritize patching to a fixed version beyond 5.4.1. Also, review administrator accounts for any unauthorized password resets or suspicious activity, especially if you have `latepoint_agent` roles provisioned.

Related ATT&CK Techniques

T1078.004 Abuse Elevated Privileges: System Administrator Privilege Escalation T1190 Exploit Public-Facing Application Initial Access T1068 Exploitation for Privilege Escalation Privilege Escalation

🛡️ Detection Rules

2 rules · 6 SIEM formats

2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

critical T1190 Initial Access

CVE-2026-6741: WordPress LatePoint Plugin User Linking

Sigma YAML — free preview 
title: CVE-2026-6741: WordPress LatePoint Plugin User Linking
id: scw-2026-04-27-ai-1
status: experimental
level: critical
description: |
  Detects the specific AJAX action 'latepoint_connect_customer_to_wp_user' used by the vulnerable LatePoint plugin to link a customer to a WordPress user account. This is the initial step in the privilege escalation chain for CVE-2026-6741.
author: SCW Feed Engine (AI-generated)
date: 2026-04-27
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2026-6741/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri|contains:
          - '/wp-admin/admin-ajax.php'
      cs-uri-query|contains:
          - 'action=latepoint_connect_customer_to_wp_user'
      cs-method:
          - 'POST'
      sc-status:
          - '200'
  condition: selection
falsepositives:
  - Legitimate administrative activity

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2026-6741 Privilege Escalation LatePoint - Calendar Booking Plugin for Appointments and Events plugin for WordPress versions <= 5.4.1
CVE-2026-6741 Privilege Escalation Missing authorization check in execute() method of connect-customer-to-wp-user ability
CVE-2026-6741 Privilege Escalation Requires customer__edit capability (granted to latepoint_agent role by default)

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 27, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

CVE-2026-7191: qnabot-on-aws Admin RCE via Prototype Manipulation

CVE-2026-7191 — Improper use of the static-eval npm package in the open source solution qnabot-on-aws versions 7.2.4 and earlier may allow an authenticated administrator to...

vulnerabilityCVEhigh-severitycwe-94
/SCW Vulnerability Desk /HIGH /7.2 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-7158: dmitryglhf mcp-url-downloader SSRF Vulnerability

CVE-2026-7158 — A vulnerability has been found in dmitryglhf mcp-url-downloader up to 4b8cf2de55f6e8864a77d108e8a94a5b8e4394c6. Affected by this issue is the function _validate_url_safe of the file src/mcp_url_downloader/server.py....

vulnerabilityCVEhigh-severityserver-side-request-forgerycwe-918
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 2 IOCs /⚙ 3 Sigma

CVE-2026-7157: Aider-MCP-Server Command Injection Vulnerability

CVE-2026-7157 — A flaw has been found in disler aider-mcp-server up to b2516fa466d0d851932da92ee6d0e66946db9efc. Affected by this vulnerability is an unknown functionality of the file src/aider_mcp_server/server.py...

vulnerabilityCVEhigh-severitycommand-injectioncwe-74cwe-77
/SCW Vulnerability Desk /HIGH /7.3 /⚑ 3 IOCs /⚙ 2 Sigma