CVE-2026-7652

MEDIUM
Published May 9, 2026 Modified May 11, 2026 CWE-640

Description

The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow's ability to overwrite an existing customer's email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected.

CVSS v3.1 Score

5.3
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

EPSS — Exploit Prediction

0.0010
Probability of exploitation
0.27%
Percentile rank

EPSS estimates the probability that this vulnerability will be exploited in the wild within the next 30 days. A higher score means more likely to be exploited.

Weakness Type (CWE)

CWE-640 CWE-640

References

Other References

https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/latepoint.php#L1165 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/customer_helper.php#L238 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1940 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.4.2/lib/helpers/steps_helper.php#L1972 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/latepoint.php#L1165 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/customer_helper.php#L238 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1940 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.5.0/lib/helpers/steps_helper.php#L1972 https://plugins.trac.wordpress.org/browser/latepoint/trunk/latepoint.php#L1165 https://plugins.trac.wordpress.org/browser/latepoint/trunk/lib/helpers/customer_helper.php#L238

Frequently Asked Questions

What is CVE-2026-7652? +
The LatePoint plugin for WordPress is vulnerable to Account Takeover via Weak Password Recovery Mechanism in the unauthenticated guest booking flow in versions up to, and including, 5.5.0 This is due to the save_connected_wordpress_user() function propagating a LatePoint customer's email address to its linked WordPress user account via wp_update_user() without any ownership verification, combined with the guest booking flow's ability to overwrite an existing customer's email through phone-based merge without authentication. This makes it possible for unauthenticated attackers to overwrite the email address of a non-super-admin WordPress user account that is not yet linked to a LatePoint customer, enabling full account takeover by subsequently triggering the standard WordPress password-reset flow to the attacker-controlled address granted the plugin is configured with WordPress user integration enabled, phone-based contact merging, and customer authentication disabled. Administrator accounts on single-site installs are not affected. It has a CVSS v3.1 base score of 5.3 (MEDIUM).
How severe is CVE-2026-7652? +
CVE-2026-7652 has a CVSS v3.1 score of 5.3 out of 10, rated MEDIUM. This is a medium-severity vulnerability that should be remediated as part of regular maintenance. The EPSS score is 0.0010, placing it in the 0th percentile for exploitation probability.
How do I check if I'm vulnerable to CVE-2026-7652? +
You can use Secably's free Website Scanner to check your website for known vulnerabilities. For infrastructure scanning, use the Port Scanner to identify exposed services that may be affected. Check the vendor advisories linked above for specific patch and version information.

Related Vulnerabilities

CVE-2025-53373

Natours is a Tour Booking API. The attacker can easily take over any victim account by injecting an attacker-controlled server …
CVE-2025-29995

This vulnerability exists in the CAP back office application due to a weak password-reset mechanism implemented at API endpoints. An …
CVE-2023-7028 10.0

An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, …
CVE-2024-38468 9.8

Shenzhen Guoxin Synthesis image system before 8.3.0 allows unauthorized password resets via the resetPassword API.
CVE-2025-43932 9.8

JobCenter through 7e7b0b2 allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset …
CVE-2025-43931 9.8

flask-boilerplate through a170e7c allows account takeover via the password reset feature because SERVER_NAME is not configured and thus a reset …

Don't wait for an exploit

Scan your website for vulnerabilities like CVE-2026-7652 — free, no signup required.

Start Free Scan