CVE-2026-8176 - LatePoint agent privilege escalation
LatePoint up to 5.5.1 contains a chained privilege-escalation path that
lets an authenticated Agent-level user take over a WordPress administrator
account. Wordfence describes the issue as three linked flaws, centered on an
IDOR in OsOrdersController::create_or_update plus an unauthenticated
customer-cabinet password-reset path, which together let an attacker overwrite
an administrator password without using an administrator-only API.
This is not a narrow role-bug fix. Reviewers should assume every boundary between LatePoint customer, agent, and WordPress user identities needs to be revalidated.
When to use it
Use this recipe when a repository or WordPress deployment uses LatePoint and needs to validate agent, customer, and administrator identity boundaries. It supports source-code remediation, privilege-escalation review, RBAC testing, and audit evidence that Agent-level users cannot mutate privileged WordPress accounts through order or customer-cabinet flows.
Inputs
- LatePoint version, WordPress role map, agent/customer/admin identity model, order APIs, password-reset flows, and deployment exposure.
- Source paths for
OsOrdersController::create_or_update, customer-cabinet reset handlers, user lookup/update code, nonce/session checks, and role gates. - Regression fixtures for Agent, customer, admin, unauthenticated, cross-user, and invalid reset-token cases.
- Audit evidence for changed passwords, role mutations, reset emails, logs, impacted accounts, and rollback/notification owner.
Affected versions
- Vulnerable:
LatePoint <= 5.5.1 - Fixed:
LatePoint 5.5.2+ - Affected surface: sites where non-admin staff or other authenticated users can act as LatePoint agents, manage orders, or interact with customer cabinet flows
Indicator-of-exposure
- The repository or deployment uses
latepoint <= 5.5.1. - Code customizes or extends LatePoint order creation, customer mapping, or password-reset flows.
- Agent-level accounts exist and can edit orders or customer-linked records.
- WordPress and LatePoint identities are linked through IDs or relations that are writable from request parameters.
Quick checks:
rg -n "latepoint|OsOrdersController|create_or_update|customer_cabinet|reset.*password|wp_set_password|wp_update_user|connect.*wp.*user" .
wp plugin list | rg "^latepoint\\s"
Windows:
rg -n "latepoint|OsOrdersController|create_or_update|customer_cabinet|reset.*password|wp_set_password|wp_update_user|connect.*wp.*user" .
wp plugin list | rg "^latepoint\\s"
Remediation strategy
- Upgrade to
LatePoint 5.5.2+. - Review custom code, snippets, and overrides that extend LatePoint order, customer-cabinet, or identity-linking flows. The upgrade is not enough if local code reintroduces insecure ID references or password-reset behavior.
- Enforce object-level authorization on every order, customer, and linked WordPress-user update. Never trust request-supplied object IDs without proving the acting principal owns or may administer the target object.
- Require strong reset controls for any password change path: single-use token, nonce, expiry, and binding to the correct user/account context.
- Block non-admin LatePoint roles from mutating privileged WordPress accounts, even indirectly through customer or order records.
- Audit recent account changes, especially administrator password resets, account-link changes, and unexpected agent activity.
The prompt
Model context: this prompt was generated by GPT 5.5 Extra High reasoning.
You are remediating CVE-2026-8176 in the LatePoint WordPress plugin. The issue
chains an IDOR and password-reset weaknesses so an Agent-level user can take
over a WordPress administrator account. Produce exactly one output:
- A reviewer-ready PR/change request that upgrades the plugin, closes the
authorization chain, audits account-linking and reset paths, and documents
operator follow-up, or
- TRIAGE.md if this repository does not control an affected LatePoint runtime,
customization, or deployment.
## Rules
- Scope only CVE-2026-8176 and directly related identity, order, and password
mutation paths.
- Treat user records, password-reset data, salts, sessions, and audit logs as
sensitive.
- Do not reset live user passwords or trigger real account-takeover flows.
- Do not weaken LatePoint features by silently broadening WordPress roles.
- Do not auto-merge.
## Steps
1. Inventory every `latepoint` dependency, customization, override, and
deployment artifact in this repository.
2. Confirm whether any controlled code extends order creation, customer-cabinet
actions, password resets, or WordPress-user linking.
3. Upgrade to `5.5.2+` and refresh lockfiles or deployment manifests.
4. Trace every path where request data chooses an order, customer, or linked
WordPress user ID. Add object-level authorization where ownership or role
boundaries are missing.
5. Trace every password-change and reset path reachable from customer-cabinet
flows. Require correct identity binding, reset token validation, and expiry.
6. Prevent non-admin LatePoint roles from updating or linking privileged
WordPress accounts.
7. Search for custom code that calls `wp_set_password`, `wp_update_user`, or
equivalent account mutation helpers from LatePoint request handlers.
8. If the repository does not control the affected runtime or code path, stop
with `TRIAGE.md` listing files checked and runtime owner.
9. Add regression tests that prove:
- agent users cannot modify other users' account links;
- agent flows cannot trigger administrator password changes;
- request-supplied IDs outside scope are rejected.
10. Add a PR body section named `CVE-2026-8176 operator actions` covering:
- versions before and after;
- account-linking paths reviewed;
- any suspicious password resets or role changes checked;
- validation that passed.
11. Run available validation: unit tests, plugin tests, role/capability tests,
and safe account-flow regression tests.
12. Use PR title:
`fix(sec): remediate LatePoint agent privilege escalation`.
## Stop conditions
- The repository does not control the vulnerable plugin or any customization of
the affected flows.
- Validation would require taking over or resetting a real account.
- Audit evidence indicates active exploitation and incident response should take
priority over normal remediation.
Output contract
- A reviewer-ready PR or change request that upgrades LatePoint, closes IDOR and password-reset flaws, revalidates role mapping, adds negative RBAC tests, and documents account cleanup.
- Or a
TRIAGE.mdfile that lists inspected files, owner, observed version, privilege boundary, potentially impacted accounts, required fix, and residual risk. - The output must include exact validation commands and must not expose real password-reset tokens, user PII, customer booking data, or production logs.
Verification - what the reviewer looks for
- No controlled deployment remains on
LatePoint <= 5.5.1. - Agent-level users cannot change or relink privileged WordPress accounts.
- Password-reset and account-linking flows reject out-of-scope object IDs.
- Regression tests cover both authorization and reset-token boundaries.
Watch for
- Upgrading the plugin while leaving local overrides on old controller logic.
- Fixing the password-reset link but leaving writable object references uncontrolled.
- Auditing roles without checking past administrator password-reset events.
Related recipes
- Source code authz tenant boundary audit
- Source code secrets and data exposure audit
- Source code attack surface map
- SOC 2 change management evidence check
References
- Wordfence record: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/latepoint-2/latepoint-551-authenticated-agent-privilege-escalation-to-administrator-via-idor-in-osorderscontrollercreate-or-update-unauthenticated-customer-cabinet-password-reset
- NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-8176
- WordPress plugin page: https://wordpress.org/plugins/latepoint/