CVE-2026-13228 in LatePoint Plugininfo

Summary

by MITRE • 07/01/2026

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.6.3 This is due to an Insecure Direct Object Reference (IDOR) in the create_or_update() function of OsOrdersController, which allows an authenticated Agent to supply an arbitrary order[customer_id] and overwrite any LatePoint customer's email field (including one linked to a WordPress Administrator's account) through the public-scope customer set_data() call, combined with a missing role verification in OsAuthHelper::authorize_customer() which logs in the linked WordPress user without checking its role. This makes it possible for authenticated attackers, with custom (Agent)-level access and above, to elevate their privileges to Administrator.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/01/2026

The vulnerability identified in the LatePoint WordPress plugin represents a critical privilege escalation flaw that undermines the security model of the application. This issue affects versions up to and including 5.6.3, where an authenticated attacker with Agent-level permissions can exploit a design weakness to gain administrative access. The core problem stems from improper input validation within the create_or_update() function of the OsOrdersController component, which fails to adequately verify object references before processing user-supplied data.

The technical exploitation occurs through an insecure direct object reference vulnerability that allows attackers to manipulate the order[customer_id] parameter during order creation or modification. This weakness enables an authenticated Agent to target any customer record within the system by simply supplying an arbitrary customer ID value. The vulnerability is compounded by the public-scope customer set_data() method, which accepts unverified inputs and processes them without proper authorization checks. When combined with the missing role verification in OsAuthHelper::authorize_customer(), this creates a complete privilege escalation pathway.

The operational impact of this vulnerability extends beyond simple access control bypass as it allows attackers to manipulate customer data directly linked to WordPress administrator accounts. An attacker can overwrite critical customer information including email addresses, effectively gaining access to administrator accounts through the associated customer records. This type of vulnerability aligns with CWE-284 Access Control Issues and represents a significant deviation from secure authentication practices where role verification should occur before granting system-level privileges.

The attack vector requires minimal prerequisites as only an authenticated Agent account is needed to initiate the exploitation process. This makes the vulnerability particularly dangerous in environments where multiple user roles exist, as it provides a clear path for lateral movement and privilege escalation. The vulnerability also demonstrates poor separation of concerns within the application architecture, where customer data management logic intersects with authentication mechanisms without proper authorization boundaries.

Security professionals should note that this vulnerability directly maps to several ATT&CK techniques including privilege escalation through access token manipulation and credential access through compromised accounts. The issue highlights the importance of implementing proper input validation and role-based access controls in web applications. Organizations using this plugin must immediately update to patched versions or implement temporary mitigations such as restricting Agent-level permissions until a security patch can be applied.

The root cause analysis reveals fundamental architectural flaws in how the application handles customer data relationships and authentication flows. The lack of proper authorization checks during customer login operations creates a dangerous precedent where user roles are not properly verified before granting system access. This vulnerability serves as a reminder of the critical importance of defense-in-depth principles, where multiple layers of security controls should be implemented to prevent single points of failure. Organizations should conduct comprehensive security reviews of their WordPress installations to identify similar issues that might exist in other plugins or themes.

The vulnerability also demonstrates the risk associated with insufficient parameter validation and object reference management in web applications. The combination of public API endpoints with weak access controls creates an environment where attackers can manipulate system state through carefully crafted requests. This particular flaw represents a classic example of how seemingly isolated security issues can combine to create more significant threats than their individual components would suggest. Proper implementation of authorization checks at every level of the application stack is essential to prevent such vulnerabilities from being exploited by malicious actors.

Responsible

Wordfence

Reservation

06/24/2026

Disclosure

07/01/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!