CVE-2025-7038 is an authentication bypass vulnerability classified under CWE-288, affecting the LatePoint plugin for WordPress, a widely used calendar booking system for appointments and events. The vulnerability resides in the AJAX endpoint latepoint_route_call, specifically within the steps__load_step route. This endpoint processes client-supplied data such as customer email and related fields before invoking an internal login handler. Critically, it fails to verify whether the requester is already authenticated, does not perform capability checks, and lacks validation of a valid AJAX nonce token. Consequently, an unauthenticated attacker can craft requests to this endpoint to impersonate any customer by supplying their email and related data, effectively bypassing authentication controls. This flaw affects all versions up to and including 5.1.94 of LatePoint. The vulnerability has a CVSS 3.1 base score of 8.2, reflecting its high severity, with an attack vector of network (remote exploitation), low attack complexity, no privileges required, and no user interaction needed. The impact is primarily on confidentiality, allowing unauthorized access to customer accounts and their sensitive information, while integrity and availability impacts are limited. Although no public exploits have been reported yet, the straightforward exploitation path and the sensitive nature of the data involved make this a critical issue for organizations relying on LatePoint. The vulnerability was publicly disclosed on September 30, 2025, with no official patches available at the time of reporting, emphasizing the urgency for mitigation.

The primary impact of CVE-2025-7038 is unauthorized access to customer accounts within the LatePoint booking system, leading to a significant confidentiality breach. Attackers can view sensitive customer information such as personal details, appointment schedules, and potentially payment or contact data stored within these accounts. This can result in privacy violations, identity theft, and reputational damage to organizations using the plugin. While the vulnerability does not directly allow modification of data (limited integrity impact) or denial of service (limited availability impact), the unauthorized access alone can facilitate further attacks, such as social engineering or lateral movement within an organization's infrastructure. Organizations worldwide that rely on LatePoint for managing appointments and events are at risk, especially those handling sensitive or regulated customer data. The ease of exploitation without authentication or user interaction increases the likelihood of automated attacks and mass compromise attempts. The absence of known exploits in the wild currently provides a window for proactive defense, but the high CVSS score indicates a critical need for immediate attention.

1. Apply official patches from LatePoint as soon as they become available to address the authentication bypass vulnerability. 2. Until patches are released, restrict access to the latepoint_route_call AJAX endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests or limit access to trusted IP ranges. 3. Implement additional server-side authentication checks and validate AJAX nonces rigorously within the plugin code to ensure that only authenticated users can invoke sensitive routes. 4. Monitor web server and application logs for unusual or repeated access attempts to the steps__load_step route, which may indicate exploitation attempts. 5. Conduct a thorough review of user accounts and audit logs to detect any unauthorized access or suspicious activity. 6. Educate administrative and development teams about the vulnerability and encourage prompt updates and security best practices. 7. Consider isolating the LatePoint plugin environment or using security plugins that can add layers of authentication and request validation. 8. Regularly back up customer data and ensure incident response plans are in place to quickly address any breaches resulting from this vulnerability.