According to Roger Montti’s article on Search Engine Journal, “WordPress Calendar Plugin Vulnerability Affects Up To 100k Sites,” a high-severity vulnerability has been discovered in the LatePoint Calendar Booking WordPress plugin, potentially impacting over 100,000 websites.
Vulnerability Overview
Montti reports that the flaw is rated 8.8 (High) and allows authenticated attackers with Agent-level access or higher to escalate their privileges and potentially take control of higher-level accounts.
LatePoint is commonly used by service-based businesses to manage bookings, appointments, payments, and customer records, making it a critical component of many business websites.
Root Cause: Privilege Escalation Through User Linking
The vulnerability arises from how the plugin handles the wordpress_user_id field when creating new customer records. According to Montti, users with the Agent role can assign this field to any existing WordPress user account.
Because the plugin does not restrict which user ID can be linked, an attacker can associate a new customer with an administrator account and then trigger a password reset, effectively taking over that account.
Potential Impact
If attackers exploit this, they can:
- Gain elevated privileges
- Reset administrator passwords
- Take control of the website.
Although authentication is needed, the fact that someone with just Agent-level access can exploit this makes it especially worrying for sites with many staff members.
Affected Versions and How to Fix
The issue affects all versions up to and including 5.2.7 and has been fixed in version 5.2.8.
Recommended Action
If you use the LatePoint plugin, update it right away to version 5.2.8 or later. Montti’s report shows that even vulnerabilities needing only limited access can quickly let attackers take over your whole site if you don’t fix them fast.