CVE-2026-6741
Published: 27 April 2026
Summary
CVE-2026-6741 is a high-severity Improper Privilege Management (CWE-269) vulnerability in Wordpress (inferred from references). Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 21.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-6741 is a privilege escalation vulnerability in the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress, affecting versions up to and including 5.4.1. The flaw arises from a missing authorization check in the execute() method of the connect-customer-to-wp-user ability, which solely requires the customer__edit capability—granted by default to the latepoint_agent role—without confirming whether the target WordPress user ID corresponds to a privileged account.
Authenticated attackers with the latepoint_agent role can exploit this vulnerability over the network to link any LatePoint customer record to an administrator's WordPress account. They can then leverage the standard customer password-reset flow to reset the administrator's password, resulting in full site takeover. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-269 (Improper Privilege Management).
References to the vulnerable code include the connect-customer-to-wp-user.php file at https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/abilities/customers/connect-customer-to-wp-user.php, roles_helper.php at https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/helpers/roles_helper.php, and customer_model.php at https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.1/lib/models/customer_model.php. A patch is indicated in changeset 3514330 at https://plugins.trac.wordpress.org/changeset/3514330/latepoint, with the plugin page at https://wordpress.org/plugins/latepoint/.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-25910
Vulnerability details
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute() method of the connect-customer-to-wp-user…
more
ability, which only requires the customer__edit capability granted to the latepoint_agent role by default, without verifying whether the target WordPress user ID belongs to a privileged account. This makes it possible for authenticated attackers with the latepoint_agent role to link any LatePoint customer record to an administrator's WordPress account and subsequently reset the administrator's password via the normal customer password-reset flow, resulting in full site takeover.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability is explicitly a privilege escalation flaw (CWE-269) allowing authenticated low-privileged users (latepoint_agent role) to associate customer records with administrator accounts and reset passwords for full site takeover via missing authorization checks.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces required authorization checks in the connect-customer-to-wp-user execute() method to prevent latepoint_agent users from linking customer records to privileged administrator accounts.
Applies least privilege to restrict the latepoint_agent role's customer__edit capability from allowing connections to privileged WordPress user accounts.
Manages account privileges and roles to ensure latepoint_agent cannot escalate by linking to or resetting administrator passwords.