{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-7038", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-07-02T20:41:45.476Z", "datePublished": "2025-09-30T04:27:07.535Z", "dateUpdated": "2026-04-08T17:26:33.142Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:33.142Z"}, "affected": [{"vendor": "latepoint", "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.1.94", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied customer email and related customer fields before invoking the internal login handler without verifying login status, capability checks, or a valid AJAX nonce. This makes it possible for unauthenticated attackers to log into any customer\u2019s account."}], "title": "LatePoint <= 5.1.94 - Unauthenticated Authentication Bypass via load_step Function", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7389e17-a357-481a-8716-3a93cb6afa7c?source=cve"}, {"url": "https://wordpress.org/plugins/latepoint/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/latepoint.php"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/lib/controllers/steps_controller.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3366851%40latepoint&new=3366851%40latepoint&sfp_email=&sfph_mail="}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel", "cweId": "CWE-288", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "baseScore": 8.2, "baseSeverity": "HIGH"}}], "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "timeline": [{"time": "2025-07-08T16:23:03.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-09-29T16:24:40.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-09-30T15:40:09.385324Z", "id": "CVE-2025-7038", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T15:40:19.475Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-7038", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-09-30T15:40:09.385324Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-09-30T15:40:15.885Z"}}], "cna": {"title": "LatePoint <= 5.1.94 - Unauthenticated Authentication Bypass via load_step Function", "credits": [{"lang": "en", "type": "finder", "value": "wesley"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 8.2, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N"}}], "affected": [{"vendor": "latepoint", "product": "LatePoint \u2013 Calendar Booking Plugin for Appointments and Events", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "5.1.94"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-07-08T16:23:03.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-09-29T16:24:40.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7389e17-a357-481a-8716-3a93cb6afa7c?source=cve"}, {"url": "https://wordpress.org/plugins/latepoint/#developers"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/latepoint.php"}, {"url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/lib/controllers/steps_controller.php"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3366851%40latepoint&new=3366851%40latepoint&sfp_email=&sfph_mail="}], "descriptions": [{"lang": "en", "value": "The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied customer email and related customer fields before invoking the internal login handler without verifying login status, capability checks, or a valid AJAX nonce. This makes it possible for unauthenticated attackers to log into any customer\u2019s account."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-288", "description": "CWE-288 Authentication Bypass Using an Alternate Path or Channel"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:26:33.142Z"}}}, "cveMetadata": {"cveId": "CVE-2025-7038", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:26:33.142Z", "dateReserved": "2025-07-02T20:41:45.476Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-09-30T04:27:07.535Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied customer email and related customer fields before invoking the internal login handler without verifying login status, capability checks, or a valid AJAX nonce. This makes it possible for unauthenticated attackers to log into any customer\u2019s account."}, {"lang": "es", "value": "El plugin LatePoint para WordPress es vulnerable a omisi\u00f3n de autenticaci\u00f3n debido a verificaci\u00f3n de identidad insuficiente dentro de la ruta steps__load_step del endpoint AJAX latepoint_route_call en todas las versiones hasta la 5.1.94, inclusive. El endpoint lee el correo electr\u00f3nico del cliente suministrado por el cliente y los campos de cliente relacionados antes de invocar el manejador de inicio de sesi\u00f3n interno sin verificar el estado de inicio de sesi\u00f3n, las comprobaciones de capacidad o un nonce AJAX v\u00e1lido. Esto hace posible que atacantes no autenticados inicien sesi\u00f3n en la cuenta de cualquier cliente."}], "id": "CVE-2025-7038", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "LOW", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-09-30T11:37:43.013", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/latepoint.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/lib/controllers/steps_controller.php"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3366851%40latepoint&new=3366851%40latepoint&sfp_email=&sfph_mail="}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/latepoint/#developers"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/d7389e17-a357-481a-8716-3a93cb6afa7c?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-288"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:44:22.067229+00:00", "value": {"mitigation_remediation": ["Update the LatePoint plugin to version 5.1.95 or later, which removes the unauthenticated load_step endpoint and fixes the CWE-288 improper authentication flaw.", "If an immediate update is not possible, disable or block unauthenticated access to the latepoint_route_call AJAX endpoint using access\u2011control rules or a security plugin that validates AJAX nonces and user capabilities to mitigate the authentication bypass identified as CWE-288.", "Enable logging and monitor for anomalous AJAX requests to the load_step route to detect exploited attempts and respond promptly."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized Access through Authentication Bypass"}, "threat_synthesis": {"affected_systems": "All installations of the LatePoint \u2013 Calendar Booking Plugin for Appointments and Events, specifically versions up to and including 5.1.94 as distributed by LatePoint.", "description_and_impact": "The LatePoint plugin for WordPress contains a flaw in the load_step route of the AJAX endpoint that authenticates users without performing identity verification, capability checks, or validating an AJAX nonce. An attacker can send a crafted request carrying any customer email and related fields; the plugin then invokes its internal login handler, causing the requested customer account to be logged in without valid credentials. This enables an unauthenticated attacker to access any customer\u2019s account, potentially exposing personal data, booking information, and administrative settings.", "risk_and_exploitability": "The CVSS score of 8.2 classifies this as a high-severity vulnerability. The EPSS score of less than 1% indicates a very low recorded exploitation probability, and the vulnerability is not listed in CISA\u2019s KEV catalog. The flaw can be exploited remotely via an unauthenticated POST request to the latepoint_route_call AJAX endpoint. An attacker needs no special credentials or system access beyond the ability to craft an HTTP request to the target WordPress site. Once the request is executed, the plugin\u2019s internal login routine is triggered without nonce or capability verification, creating an authentication bypass that grants the attacker full access to the targeted customer account."}}}}, "created": "2025-09-30T08:47:25.240958+00:00", "updated": "2026-04-20T21:45:18.978075+00:00", "vendors": ["latepoint", "latepoint$PRODUCT$latepoint", "wordpress", "wordpress$PRODUCT$wordpress"]}