WordPress LatePoint plugin <= 5.4.1 - Authenticated (Agent+) Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability vulnerability

Authenticated Agent+ Privilege Escalation to Administrator via 'connect-customer-to-wp-user' Ability vulnerability discovered by skyv3il - AI SAFE in WordPress Plugin LatePoint versions = 5.4.1...

PT-2026-35519

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Privilege Escalation in versions up to and including 5.4.1. This is due to a missing authorization check in the execute method of the connect-customer-to-wp-user ability, which only requires...