CVE-2026-1566 is a privilege escalation vulnerability classified under CWE-269 (Improper Privilege Management) found in the LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress. The vulnerability exists in all versions up to and including 5.2.7. The root cause is that users assigned the LatePoint Agent role, which is intended to have limited privileges, can set the 'wordpress_user_id' field when creating new customer entries. This field links the customer record to a WordPress user account. By manipulating this field, an attacker with Agent-level access can associate a customer with an arbitrary WordPress user ID, including those of administrators. Subsequently, the attacker can trigger a password reset for that linked user account, effectively allowing them to reset the password of any user, including administrators, without needing higher privileges or additional authentication. This flaw enables attackers to escalate privileges from a low-level role to full administrative control over the WordPress site. The vulnerability is remotely exploitable over the network, requires only low privileges (Agent role), and does not require user interaction, making exploitation straightforward once access is obtained. The CVSS v3.1 base score is 8.8, indicating high severity with impacts on confidentiality, integrity, and availability. No patches or official fixes are linked yet, and no known exploits have been reported in the wild as of the publication date. The vulnerability highlights a critical failure in access control and privilege separation within the LatePoint plugin's user management functionality.

The impact of CVE-2026-1566 is significant for organizations using the LatePoint plugin on WordPress sites. An attacker with Agent-level access can escalate privileges to administrator level, leading to full site compromise. This includes unauthorized access to sensitive data, modification or deletion of content, installation of backdoors or malware, and disruption of services. The ability to reset administrator passwords without proper authorization undermines the integrity and confidentiality of the entire WordPress environment. For businesses relying on LatePoint for appointment scheduling, this could result in data breaches involving customer information, loss of customer trust, and potential regulatory penalties. Additionally, attackers could leverage compromised administrator accounts to pivot to other parts of the network or launch further attacks. The vulnerability's ease of exploitation and lack of user interaction requirements increase the risk of rapid exploitation once an attacker gains Agent-level access, which might be obtained through other means such as phishing or credential stuffing. Overall, the threat poses a critical risk to the security posture of affected organizations worldwide.

To mitigate CVE-2026-1566, organizations should immediately upgrade the LatePoint plugin to a version where this vulnerability is patched once available. Until an official patch is released, administrators should restrict the assignment of the LatePoint Agent role to only fully trusted users and audit existing Agent accounts for suspicious activity. Implement strict role-based access controls and monitor for unusual password reset requests or changes to user associations within the plugin. Consider disabling the password reset functionality for LatePoint users if possible or restricting it via custom code or security plugins. Employ multi-factor authentication (MFA) for all administrator accounts to reduce the risk of account takeover even if passwords are reset. Regularly review WordPress user accounts linked to LatePoint customers to detect unauthorized mappings. Network segmentation and limiting access to the WordPress admin interface can also reduce exposure. Finally, maintain comprehensive logging and alerting to detect exploitation attempts promptly.