Authentication Bypass in LatePoint Plugin for WordPress
CVE-2025-7038

8.2HIGH

Key Information:

Vendor: WordPress
Status: Latepoint – Calendar Booking Plugin For Appointments And Events
Vendor: CVE Published:; 30 September 2025

What is CVE-2025-7038?

The LatePoint plugin for WordPress contains a significant vulnerability that allows unauthorized access to customer accounts through an authentication bypass. This issue arises from inadequate identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint across all versions up to and including 5.1.94. Due to the absence of proper login status verification, capability checks, and valid AJAX nonce implementations, attackers can exploit this flaw. By providing a customer email and related fields, unauthenticated users are able to log into any customer’s account, posing a serious security risk for users relying on this plugin.

Affected Version(s)

LatePoint – Calendar Booking Plugin for Appointments and Events * <= 5.1.94

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/latepoint/#developers

https://plugins.trac.wordpress.org/browser/latepoint/tags...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 30, 2025
Vulnerability Reserved
Jul 2, 2025

Credit

wesley

JSON