Vulnerability Description
The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied customer email and related customer fields before invoking the internal login handler without verifying login status, capability checks, or a valid AJAX nonce. This makes it possible for unauthenticated attackers to log into any customer’s account.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/latepoint.php
- https://plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/lib/controllers
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old
- https://wordpress.org/plugins/latepoint/#developers
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d7389e17-a357-481a-871
FAQ
What is CVE-2025-7038?
CVE-2025-7038 is a vulnerability with a CVSS score of 8.2 (HIGH). The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all v...
How severe is CVE-2025-7038?
CVE-2025-7038 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-7038?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.