CVE-2025-7038 is an authentication bypass vulnerability identified in the LatePoint plugin for WordPress, a popular calendar booking tool used for managing appointments and events. The vulnerability resides in the AJAX endpoint latepoint_route_call, specifically in the steps__load_step route, which processes client-supplied customer email and related fields. The core issue is that this endpoint invokes the internal login handler without performing essential security checks such as verifying if the user is already logged in, checking user capabilities, or validating a proper AJAX nonce token. This lack of verification allows an unauthenticated attacker to bypass authentication controls simply by supplying a valid customer email address, effectively logging into that customer's account without needing credentials. The vulnerability affects all versions up to and including 5.1.94. The CVSS 3.1 base score is 8.2, reflecting a network attack vector with low attack complexity, no privileges required, no user interaction, and a high impact on confidentiality but limited impact on integrity and no impact on availability. Although no known exploits are currently reported in the wild, the vulnerability's nature makes it a critical risk for organizations relying on LatePoint to manage sensitive customer appointment data. The flaw could lead to unauthorized access to personal information, appointment details, and potentially other linked data within the compromised accounts. Since LatePoint is a WordPress plugin, its exposure depends on the deployment and configuration of the WordPress sites using it. The vulnerability highlights a failure in proper identity verification and session management within the plugin's AJAX handling, emphasizing the need for robust server-side validation and nonce checks in AJAX endpoints.

For European organizations using the LatePoint plugin, this vulnerability poses a significant risk to customer data confidentiality. Attackers can gain unauthorized access to customer accounts, potentially exposing personal information, appointment schedules, and other sensitive data managed through the plugin. This could lead to privacy violations, regulatory non-compliance (e.g., GDPR breaches), reputational damage, and loss of customer trust. While the integrity and availability of the system are less impacted, the confidentiality breach alone is critical, especially for sectors handling sensitive client information such as healthcare, legal services, and financial consulting. The ease of exploitation—requiring no authentication or user interaction—means that attackers can automate attacks at scale, increasing the likelihood of widespread compromise. Additionally, compromised accounts could be leveraged for further attacks, such as social engineering or lateral movement within an organization’s IT environment. The impact is amplified in environments where LatePoint is integrated with other systems or where customer data is particularly sensitive. Organizations may face legal and financial consequences under European data protection laws if they fail to address this vulnerability promptly.

1. Apply official patches or updates from the LatePoint plugin vendor as soon as they become available to address the authentication bypass. 2. Until patches are released, restrict access to the AJAX endpoint latepoint_route_call by implementing web application firewall (WAF) rules that block or limit requests to this endpoint from untrusted sources. 3. Implement server-side validation to verify user authentication status, capabilities, and validate AJAX nonces for all AJAX endpoints, especially those handling sensitive operations. 4. Conduct a thorough audit of all WordPress plugins and custom code to ensure proper authentication and authorization checks are in place. 5. Monitor web server logs for unusual or repeated access attempts to the vulnerable AJAX endpoint, which may indicate exploitation attempts. 6. Educate site administrators about the risks of using outdated plugins and the importance of timely updates. 7. Consider isolating or segmenting systems running LatePoint to limit potential lateral movement if an account is compromised. 8. Review and enhance incident response plans to quickly detect and respond to unauthorized access incidents involving this vulnerability.