Description
The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied customer email and related customer fields before invoking the internal login handler without verifying login status, capability checks, or a valid AJAX nonce. This makes it possible for unauthenticated attackers to log into any customer’s account.
Published: 2025-09-30
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access through Authentication Bypass
Action: Immediate Patch
AI Analysis

Impact

The LatePoint plugin for WordPress contains a flaw in the load_step route of the AJAX endpoint that authenticates users without performing identity verification, capability checks, or validating an AJAX nonce. An attacker can send a crafted request carrying any customer email and related fields; the plugin then invokes its internal login handler, causing the requested customer account to be logged in without valid credentials. This enables an unauthenticated attacker to access any customer’s account, potentially exposing personal data, booking information, and administrative settings.

Affected Systems

All installations of the LatePoint – Calendar Booking Plugin for Appointments and Events, specifically versions up to and including 5.1.94 as distributed by LatePoint.

Risk and Exploitability

The CVSS score of 8.2 classifies this as a high-severity vulnerability. The EPSS score of less than 1% indicates a very low recorded exploitation probability, and the vulnerability is not listed in CISA’s KEV catalog. The flaw can be exploited remotely via an unauthenticated POST request to the latepoint_route_call AJAX endpoint. An attacker needs no special credentials or system access beyond the ability to craft an HTTP request to the target WordPress site. Once the request is executed, the plugin’s internal login routine is triggered without nonce or capability verification, creating an authentication bypass that grants the attacker full access to the targeted customer account.

Generated by OpenCVE AI on April 20, 2026 at 21:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the LatePoint plugin to version 5.1.95 or later, which removes the unauthenticated load_step endpoint and fixes the CWE-288 improper authentication flaw.
  • If an immediate update is not possible, disable or block unauthenticated access to the latepoint_route_call AJAX endpoint using access‑control rules or a security plugin that validates AJAX nonces and user capabilities to mitigate the authentication bypass identified as CWE-288.
  • Enable logging and monitor for anomalous AJAX requests to the load_step route to detect exploited attempts and respond promptly.

Generated by OpenCVE AI on April 20, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2025-31703 The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied customer email and related customer fields before invoking the internal login handler without verifying login status, capability checks, or a valid AJAX nonce. This makes it possible for unauthenticated attackers to log into any customer’s account.
History

Tue, 30 Sep 2025 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 30 Sep 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Latepoint
Latepoint latepoint
Wordpress
Wordpress wordpress
Vendors & Products Latepoint
Latepoint latepoint
Wordpress
Wordpress wordpress

Tue, 30 Sep 2025 04:45:00 +0000

Type Values Removed Values Added
Description The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied customer email and related customer fields before invoking the internal login handler without verifying login status, capability checks, or a valid AJAX nonce. This makes it possible for unauthenticated attackers to log into any customer’s account.
Title LatePoint <= 5.1.94 - Unauthenticated Authentication Bypass via load_step Function
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Latepoint Latepoint
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:26:33.142Z

Reserved: 2025-07-02T20:41:45.476Z

Link: CVE-2025-7038

cve-icon Vulnrichment

Updated: 2025-09-30T15:40:15.885Z

cve-icon NVD

Status : Deferred

Published: 2025-09-30T11:37:43.013

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7038

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:45:18Z

Weaknesses