PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-7652 Plugins CVE debrief

CVE-2026-7652 is an unauthenticated account-takeover issue in the LatePoint WordPress plugin's guest booking flow. In the vulnerable configuration described in the source record, a guest booking can overwrite a customer's email and that email can then be propagated to a linked WordPress user account without ownership verification, allowing a password-reset hijack.

Vendor
Plugins
Product
Unknown
CVSS
MEDIUM 5.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-09
Original CVE updated
2026-05-09
Advisory published
2026-05-09
Advisory updated
2026-05-09

Who should care

WordPress site operators running LatePoint versions up to 5.5.0, especially sites with guest booking enabled, phone-based contact merging enabled, WordPress user integration enabled, and customer authentication disabled. Prioritize review of any non-super-admin WordPress accounts that are linked or may become linked to LatePoint customers.

Technical summary

The supplied description and cited code locations point to two linked problems: the unauthenticated guest booking flow can replace an existing customer's email through phone-based merge behavior, and the save_connected_wordpress_user() path can pass that email into wp_update_user() without verifying that the requester owns the target identity. If the site is configured with WordPress user integration, phone-based contact merging, and customer authentication disabled, an attacker can steer a password-reset email to an attacker-controlled address and then complete takeover through the normal WordPress reset process. The source description states that administrator accounts on single-site installs are not affected.

Defensive priority

Moderate overall; high priority for internet-facing booking sites that match the vulnerable configuration.

Recommended defensive actions

  • Upgrade LatePoint to the vendor-fixed release and verify the remediation against the 5.5.1 change reference in the supplied source set.
  • Disable guest booking, phone-based contact merging, or WordPress user integration if they are not strictly required.
  • Avoid configurations that leave customer authentication disabled on exposed booking forms.
  • Audit WordPress user email-address changes and LatePoint customer linkage for unexpected updates, especially for non-super-admin accounts.
  • Force password resets and review account recovery activity for any users whose email may have been modified.
  • Reconfirm that the site is not relying on the vulnerable email-to-user propagation path for account matching or recovery.

Evidence notes

The source corpus includes the NVD record, the CVSS vector CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, and a CWE-640 classification from the referenced Wordfence analysis. The supplied references cite LatePoint code locations in versions 5.4.2 and 5.5.0, plus the upstream code tree and a 5.5.0-to-5.5.1 comparison reference, which together support the affected-version range through 5.5.0. No Known Exploited Vulnerabilities entry was supplied.

Official resources

Publicly disclosed on 2026-05-09 via the supplied NVD record and referenced Wordfence analysis. The corpus does not include a KEV entry, and this debrief uses the CVE publication date from the source record.