PatchSiren cyber security CVE debrief
CVE-2026-8176 latepoint CVE debrief
CVE-2026-8176 is a Privilege Escalation vulnerability in the LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress. The vulnerability affects versions up to, and including, 5.5.1. An authenticated Agent (Agent+) can exploit this vulnerability to elevate their privileges to Administrator without invoking an Administrator-only API.
- Vendor
- latepoint
- Product
- LatePoint – Calendar Booking Plugin for Appointments and Events
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-16
- Original CVE updated
- 2026-06-16
- Advisory published
- 2026-06-16
- Advisory updated
- 2026-06-16
Who should care
Users of the LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress, particularly those with Agent access or above, should be aware of this vulnerability. Administrators of WordPress installations with this plugin should prioritize updating to a patched version.
Technical summary
The plugin chains three independent flaws that together allow an authenticated Agent (Agent+) to overwrite a WordPress Administrator's password. This is possible due to weaknesses in the plugin's code, specifically in the customer cabinet controller, customers controller, customer helper, and customer model.
Defensive priority
High
Recommended defensive actions
- Update the LatePoint – Calendar Booking Plugin for Appointments and Events plugin to a version beyond 5.5.1.
- Restrict Agent access and above to only trusted users.
- Monitor for suspicious activity, particularly privilege escalation attempts.
Evidence notes
Evidence from Wordfence indicates that the vulnerability was discovered and reported. Multiple references to specific lines of code in the plugin's files are provided, detailing the weaknesses that contribute to the vulnerability.
Official resources
CVE-2026-8176 was published on 2026-06-16T10:16:28.993Z.