LatePoint agent role gives attackers a path to full admin takeover
TL;DR - LatePoint <= 5.4.1: a latepoint_agent can link any customer record to an arbitrary WordPress user ID, including an administrator, then trigger LatePoint's own password-reset flow to take over that account. Full site takeover from a single agent credential. Fix is 5.4.2.
What happened
LatePoint is a WordPress appointment-booking plugin with 100,000+ active installations. It adds customer records and an agent role to manage scheduling workflows inside WordPress.
Wordfence disclosed a High-severity privilege escalation affecting all versions <= 5.4.1. The root cause is a missing authorisation check in the execute() method of the connect-customer-to-wp-user ability. An authenticated attacker holding the latepoint_agent role - which carries the customer__edit capability by default - can call that method and link any LatePoint customer record to any WordPress user ID they choose, including an administrator.
Once the link is in place, the attacker triggers LatePoint's normal customer password-reset flow against that record. The reset targets the linked admin account. The result is full site takeover without ever touching a WordPress admin function directly.
| Item | Detail |
|---|---|
| Affected plugin | LatePoint - Calendar Booking Plugin for Appointments and Events (slug: latepoint) |
| Affected versions | <= 5.4.1 |
| Patched version | 5.4.2 |
| Severity | CVSS 3.1 8.8 (High) |
| CVSS vector | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
The attack chain is short: one agent credential, one missing check, one admin account gone. At 100,000+ installs, the blast radius is significant.
Who is impacted
- WordPress sites running
latepointversions<= 5.4.1. - Deployments where untrusted users can obtain the
latepoint_agentrole or any role carrying thecustomer__editcapability. - Highest risk: sites that provision agent accounts broadly, share agent credentials, or allow agents to set weak passwords. Any compromised agent account is a direct path to administrator takeover.
What to do now
- Update immediately. Patch to
5.4.2or a newer patched version:"Remediation: Update to version 5.4.2, or a newer patched version"
- Inventory every production and staging WordPress instance for
latepointand confirm the installed version. Staging environments that share credentials or database snapshots with production are also in scope. - Audit all users holding the
latepoint_agentrole:- Remove or disable accounts that are no longer needed.
- Rotate credentials on any shared agent accounts.
- Treat this as a potential account-takeover exposure:
- Review WordPress and plugin activity logs for unexpected customer-to-user linking events.
- Look for unexpected admin password resets or new administrator sessions, particularly in the period before you can confirm patching.
- If you cannot patch right now, reduce blast radius while you assess:
- Limit who can authenticate as an agent.
- Apply least-privilege and shortest-possible lifetime to all agent accounts.
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.