Cyber Resilience

CVE-2026-6741

High

Published: 27 April 2026

Published
27 April 2026
Modified
27 April 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0029 21.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-6741 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-6741 is a privilege escalation vulnerability in the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress, affecting versions up to and including 5.4.1. The flaw arises from a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which solely requires the customer__edit capability—granted by default to the latepoint_agent role—without confirming whether the target WordPress user ID corresponds to a privileged account.

Authenticated attackers with the latepoint_agent role can exploit this vulnerability over the network to link any LatePoint customer record to an administrator's WordPress account. They can then leverage the standard customer password-reset flow to reset the administrator's password, resulting in full site takeover. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-269 (Improper Privilege Management).

References to the vulnerable code include the connect-customer-to-wp-user.php file at https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/abilities/customers/connect-customer-to-wp-user.php, roles_helper.php at https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/roles_helper.php, and customer_model.php at https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/models/customer_model.php. A patch is indicated in changeset 3514330 at https://plugins.trac.wordpress.org/changeset/3514330/latepoint, with the plugin page at https://wordpress.org/plugins/latepoint/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user…

more

ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The vulnerability is explicitly a privilege escalation flaw (CWE-269) allowing authenticated low-privileged users (latepoint_agent role) to associate customer records with administrator accounts and reset passwords for full site takeover via missing authorization checks.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-23896Shared CWE-269
CVE-2025-27639Shared CWE-269
CVE-2025-8899Shared CWE-269
CVE-2025-26705Shared CWE-269
CVE-2015-10139Shared CWE-269
CVE-2026-8972Shared CWE-269
CVE-2025-0893Shared CWE-269
CVE-2026-6769Shared CWE-269
CVE-2025-2858Shared CWE-269
CVE-2025-48613Shared CWE-269

Affected Assets

Wordpress
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces required authorization checks in the connect-customer-to-wp-user execute() method to prevent latepoint_agent users from linking customer records to privileged administrator accounts.

prevent

Applies least privilege to restrict the latepoint_agent role's customer__edit capability from allowing connections to privileged WordPress user accounts.

prevent

Manages account privileges and roles to ensure latepoint_agent cannot escalate by linking to or resetting administrator passwords.

References