CVE-2025-7038 – The LatePoint WordPress plugin contains an auth... (How to Fix)

Q: What is the severity of CVE-2025-7038?

CVE-2025-7038 has a CVSS score of 8.2 (HIGH). The LatePoint WordPress plugin contains an authentication bypass vulnerability that allows unauthenticated attackers to log into any customer account by exploiting insufficient identity verification in an AJAX endpoint. This affects all WordPress sites using LatePoint versions up to 5.1.94. Attackers can impersonate customers and potentially access sensitive booking information.

📋 TL;DR

The LatePoint WordPress plugin contains an authentication bypass vulnerability that allows unauthenticated attackers to log into any customer account by exploiting insufficient identity verification in an AJAX endpoint. This affects all WordPress sites using LatePoint versions up to 5.1.94. Attackers can impersonate customers and potentially access sensitive booking information.

💻 Affected Systems

Products:

LatePoint WordPress Plugin

Versions: All versions up to and including 5.1.94

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects WordPress installations with LatePoint plugin enabled. No special configuration required.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain unauthorized access to all customer accounts, steal personal data, modify bookings, perform financial fraud, and potentially pivot to administrative functions if customer accounts have elevated privileges.

🟠

Likely Case

Attackers compromise customer accounts to view personal information, booking history, and potentially make unauthorized bookings or modifications.

🟢

If Mitigated

With proper network segmentation and monitoring, impact is limited to the LatePoint application data only, with no lateral movement to other systems.

🌐 Internet-Facing: HIGH

🏢 Internal Only: LOW

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

The vulnerability is straightforward to exploit with basic HTTP requests to the vulnerable endpoint.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.1.95 or later

Vendor Advisory: https://wordpress.org/plugins/latepoint/#developers

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find LatePoint plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 5.1.95+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Disable LatePoint Plugin

all

Temporarily disable the vulnerable plugin until patched

wp plugin deactivate latepoint

Block Vulnerable Endpoint

linux

Add web application firewall rule to block access to the vulnerable AJAX endpoint

# Add to .htaccess for Apache:
RewriteCond %{REQUEST_URI} ^/wp-admin/admin-ajax\.php$
RewriteCond %{QUERY_STRING} action=latepoint_route_call [NC]
RewriteCond %{QUERY_STRING} route_name=steps__load_step [NC]
RewriteRule ^ - [F,L]

🧯 If You Can't Patch

Implement strict network access controls to limit who can access the WordPress admin-ajax.php endpoint
Enable detailed logging for all authentication attempts and monitor for suspicious activity

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → LatePoint → Version. If version is 5.1.94 or lower, you are vulnerable.

Check Version:

wp plugin get latepoint --field=version

Verify Fix Applied:

After updating, verify LatePoint plugin version shows 5.1.95 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Multiple POST requests to /wp-admin/admin-ajax.php with 'action=latepoint_route_call' and 'route_name=steps__load_step' from unauthenticated users
Unusual customer account logins from unexpected IP addresses

Network Indicators:

HTTP POST requests to admin-ajax.php with latepoint_route_call action and steps__load_step route parameters

SIEM Query:

source="web_logs" AND uri="/wp-admin/admin-ajax.php" AND method="POST" AND query="*action=latepoint_route_call*" AND query="*route_name=steps__load_step*"

📊 Metadata

CVE ID: CVE-2025-7038

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-288

EPSS Score: 0.51% exploit probability (65.7th percentile)

Published: September 30, 2025

Last Updated: October 2, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-7038, you might also want to check these: