DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-1566: CVE-2026-1566: Privilege Escalation via Improper Authorization in LatePoint WordPress Plugin

#security #cve #cybersecurity

CVE-2026-1566: Privilege Escalation via Improper Authorization in LatePoint WordPress Plugin

Vulnerability ID: CVE-2026-1566
CVSS Score: 8.8
Published: 2026-03-02

CVE-2026-1566 is a high-severity privilege escalation vulnerability in the LatePoint WordPress plugin affecting versions 5.2.7 and earlier. Authenticated attackers with Agent privileges can manipulate the wordpress_user_id parameter during customer creation to link their account to an administrator, enabling full site takeover via password reset mechanisms.

TL;DR

Authenticated Agent users in LatePoint <= 5.2.7 can escalate to Administrator by linking a customer record to an admin's WordPress ID and executing a password reset.

⚠️ Exploit Status: POC

Technical Details

  • CVSS v3.1 Score: 8.8 (High)
  • CWE ID: CWE-269
  • Attack Vector: Network
  • Privileges Required: Low (LatePoint Agent)
  • Impact: Privilege Escalation to Administrator
  • Exploit Status: Proof of Concept Available
  • KEV Status: Not Listed
  • EPSS Score: 0.04%

Affected Systems

  • WordPress installations running LatePoint Plugin versions 5.2.7 and earlier.
  • LatePoint Plugin: <= 5.2.7 (Fixed in: 5.2.8)

Mitigation Strategies

  • Update LatePoint plugin to version 5.2.8 or higher.
  • Implement Web Application Firewall (WAF) rules to inspect and block unauthorized modifications to the wordpress_user_id parameter.
  • Enforce principle of least privilege for LatePoint Agent accounts, restricting access strictly to necessary personnel.

Remediation Steps:

  1. Log into the WordPress administrative dashboard with Administrator privileges.
  2. Navigate to the Plugins section and check for available updates.
  3. Locate the LatePoint plugin and execute the update process to install version 5.2.8.
  4. Query the database to identify any LatePoint customer records associated with administrative WordPress IDs.
  5. Reset passwords for any administrative accounts identified as potentially compromised during the audit.

References

Read the full report for CVE-2026-1566 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)