CVE-2026-8176

{"id": "CVE-2026-8176", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 1.6}]}, "published": "2026-06-16T10:16:28.993", "references": [{"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.php#L415", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customer_cabinet_controller.php#L491", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/controllers/customers_controller.php#L342", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/customer_helper.php#L253", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/models/customer_model.php#L322", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/customer_cabinet_controller.php#L415", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/customer_cabinet_controller.php#L491", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/customers_controller.php#L342", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/orders_controller.php#L100", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/controllers/orders_controller.php#L124", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/helpers/customer_helper.php#L253", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.1/lib/models/customer_model.php#L322", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php#L415", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customer_cabinet_controller.php#L491", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/customers_controller.php#L342", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/orders_controller.php#L100", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/controllers/orders_controller.php#L124", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/customer_helper.php#L253", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/models/customer_model.php#L322", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/models/customer_model.php#L427", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3531832%40latepoint&old=3522933%40latepoint&sfp_email=&sfph_mail=", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/b8d5bb6c-2021-4fc0-bede-8da1c3fb591a?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-269"}]}], "descriptions": [{"lang": "en", "value": "The LatePoint \u2013 Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation to Administrator in versions up to, and including, 5.5.1. The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password without ever invoking an Administrator-only API. This makes it possible for authenticated attackers, with Agent access and above, to elevate their privileges to Administrator."}], "lastModified": "2026-06-16T15:22:49.577", "sourceIdentifier": "security@wordfence.com"}