CVE-2025-7052 is a high-severity Cross-Site Request Forgery (CSRF) vulnerability affecting the LatePoint – Calendar Booking Plugin for Appointments and Events, a WordPress plugin widely used for managing bookings and appointments. The vulnerability exists in all versions up to and including 5.1.94. Specifically, the issue arises from the lack of nonce validation in the change_password() function, which is exposed via the AJAX routes customer_cabinet__change_password hooked through wp_ajax and wp_ajax_nopriv. This means that the endpoint does not verify a security nonce or check user capabilities before allowing a password reset operation. Consequently, an unauthenticated attacker can craft a malicious link that, when visited by a logged-in customer or, if the “WP users as customers” setting is enabled, an administrator, triggers a password reset without their consent. This effectively allows the attacker to take over the victim’s account. The vulnerability is particularly dangerous because it requires no authentication from the attacker, only that the victim is logged in and visits a malicious URL, which can be delivered via phishing or other social engineering methods. The CVSS v3.1 score of 8.8 reflects the high impact on confidentiality, integrity, and availability, with low attack complexity and no privileges required, though user interaction is necessary. No known exploits are currently reported in the wild, but the vulnerability’s nature makes it a prime target for exploitation once disclosed publicly. The lack of a patch link indicates that a fix may not yet be available or publicly released at the time of this report.

For European organizations using WordPress sites with the LatePoint plugin, this vulnerability poses a significant risk. Attackers can hijack user accounts, including those of customers and potentially administrators if the 'WP users as customers' feature is enabled. This can lead to unauthorized access to sensitive booking information, personal data, and potentially administrative controls over the website. The compromise of administrator accounts could allow attackers to escalate their access, implant further malware, or disrupt business operations. Given that many European businesses rely on online appointment scheduling for customer engagement, exploitation could result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to unauthorized data access), and financial losses. The ease of exploitation via CSRF and the absence of authentication checks amplify the threat, especially in environments where users may be less security-aware or where phishing attacks are prevalent. The vulnerability also threatens service availability if attackers modify or delete booking data or lock out legitimate users.

Immediate mitigation steps include disabling the LatePoint plugin until a security patch is released. Administrators should monitor for updates from the vendor and apply patches promptly once available. In the interim, implementing Web Application Firewall (WAF) rules to detect and block suspicious POST requests to the customer_cabinet__change_password AJAX endpoint can reduce risk. Site owners should enforce strict user session management and educate users about phishing risks to minimize the chance of malicious link clicks. Additionally, enabling multi-factor authentication (MFA) for WordPress accounts can help mitigate account takeover even if passwords are reset. Reviewing and restricting the 'WP users as customers' setting to only trusted users reduces the attack surface. Logging and monitoring password change events and unusual login activities can provide early detection of exploitation attempts. Finally, developers maintaining custom integrations with LatePoint should audit their code to ensure nonce validation and capability checks are properly implemented on all sensitive AJAX endpoints.