CVE-2025-7052 - Vulnerability Details

- LatePoint <= 5.1.94 - Cross-Site Request Forgery to Account Takeover via change_password() Function

Description

The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.94. This is due to missing nonce validation on the change_password() function of its customer_cabinet__change_password AJAX route. The plugin hooks this endpoint via wp_ajax and wp_ajax_nopriv but does not verify a nonce or user capability before resetting the user’s password. This makes it possible for unauthenticated attackers who trick a logged-in customer (or, with “WP users as customers” enabled, an administrator) into visiting a malicious link to take over their account.

Published: 2025-09-30

Score: 8.8 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The LatePoint calendar booking plugin for WordPress contains a flaw that allows attackers to change a logged‑in user's password without authentication. The change_password() AJAX route lacks nonce verification and capability checks, enabling a CSRF attack that can lead to account takeover. The vulnerability conforms to CWE‑352.

Affected Systems

Affected versions of the LatePoint plugin up to and including 5.1.94. The plugin is a WordPress add‑on used for booking appointments and events. All users installing these versions are exposed, including customers and site administrators when the 'WP users as customers' setting is enabled.

Risk and Exploitability

The CVSS score of 8.8 marks this as a high‑severity flaw. The EPSS score of less than 1% suggests the likelihood of exploitation in the near term is low, and the vulnerability is not currently listed in the CISA KEV catalog. However, because the attack can be triggered by a simple forged request and does not require advanced skills, the potential impact remains significant. An attacker who can lure a logged‑in user to a crafted URL can immediately reset the password and take over the account.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

latepoint

LatePoint – Calendar Booking Plugin for Appointments and Events

unaffected

Version	Status	Constraints
`0`	affected	≤ 5.1.94

No data.

Vendor	Product	Confidence	Versions
Latepoint	Latepoint	—	—
Wordpress	Wordpress	—	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update the LatePoint plugin to the latest version (≥5.2.0) which implements nonce validation for the change_password() route.
Remove or disable the 'WP users as customers' setting if it is not required, to limit the attack surface for administrators.
Configure server‑side rules or use a security plugin to require a valid CSRF token or nonce for the change_password AJAX route, preventing unauthenticated requests from being processed.

Generated by OpenCVE AI on April 20, 2026 at 19:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
EUVD	EUVD-2025-31702	The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.94. This is due to missing nonce validation on the change_password() function of its customer_cabinet__change_password AJAX route. The plugin hooks this endpoint via wp_ajax and wp_ajax_nopriv but does not verify a nonce or user capability before resetting the user’s password. This makes it possible for unauthenticated attackers who trick a logged-in customer (or, with “WP users as customers” enabled, an administrator) into visiting a malicious link to take over their account.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00027.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/latepoint.php
https://plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/lib/controllers/customer_cabinet_controller.php#L403
https://plugins.trac.wordpress.org/changeset/3366851/latepoint/tags/5.2.0/lib/controllers/customer_cabinet_controller.php
https://wordpress.org/plugins/latepoint/#developers
https://www.wordfence.com/threat-intel/vulnerabilities/id/df8a8ce0-7258-40ae-bf73-f8c6185fdd16?source=cve

History

Tue, 30 Sep 2025 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Tue, 30 Sep 2025 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Latepoint Latepoint latepoint Wordpress Wordpress wordpress
Vendors & Products		Latepoint Latepoint latepoint Wordpress Wordpress wordpress

Tue, 30 Sep 2025 04:45:00 +0000

Type	Values Removed	Values Added
Description		The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.94. This is due to missing nonce validation on the change_password() function of its customer_cabinet__change_password AJAX route. The plugin hooks this endpoint via wp_ajax and wp_ajax_nopriv but does not verify a nonce or user capability before resetting the user’s password. This makes it possible for unauthenticated attackers who trick a logged-in customer (or, with “WP users as customers” enabled, an administrator) into visiting a malicious link to take over their account.
Title		LatePoint <= 5.1.94 - Cross-Site Request Forgery to Account Takeover via change_password() Function
Weaknesses		CWE-352
References		https://plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/latepoint.php https://plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/lib/controllers/customer_cabinet_controller.php#L403 https://plugins.trac.wordpress.org/changeset/3366851/latepoint/tags/5.2.0/lib/controllers/customer_cabinet_controller.php https://wordpress.org/plugins/latepoint/#developers https://www.wordfence.com/threat-intel/vulnerabilities/id/df8a8ce0-7258-40ae-bf73-f8c6185fdd16?source=cve
Metrics		cvssV3_1 `{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}`

Subscriptions

Latepoint Latepoint

Wordpress Wordpress

MITRE

Status: PUBLISHED

Assigner: Wordfence

Published: 2025-09-30T04:27:07.926Z

Updated: 2026-04-08T17:28:31.817Z

Reserved: 2025-07-03T19:21:30.973Z

Link: CVE-2025-7052

Vulnrichment

Updated: 2025-09-30T15:40:44.705Z

NVD

Status : Deferred

Published: 2025-09-30T11:37:43.183

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-7052

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-20T19:30:06Z

Weaknesses

CWE-352

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction Required

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object