The LatePoint plugin for WordPress, widely used for calendar booking and appointment management, suffers from a critical CSRF vulnerability identified as CVE-2025-7052. This vulnerability exists in all versions up to and including 5.1.94 due to the absence of nonce validation in the change_password() function, which is exposed via the AJAX route customer_cabinet__change_password. The plugin registers this endpoint with both wp_ajax and wp_ajax_nopriv hooks but fails to verify user capabilities or nonce tokens before allowing password resets. Consequently, an unauthenticated attacker can craft a malicious link that, when visited by a logged-in customer or administrator (if “WP users as customers” is enabled), triggers a password change without the victim's consent. This attack vector leverages the CWE-352 CSRF weakness, enabling attackers to hijack accounts by exploiting the victim's active session. The vulnerability impacts confidentiality (account takeover), integrity (unauthorized password changes), and availability (potential account lockout). The CVSS 3.1 score of 8.8 reflects the vulnerability's network attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on confidentiality, integrity, and availability. Although no public exploits are currently known, the ease of exploitation and severity necessitate urgent attention from affected users and administrators.

For European organizations, the impact of CVE-2025-7052 is significant, especially for businesses relying on the LatePoint plugin for customer appointment scheduling and management. Successful exploitation can lead to unauthorized account takeovers, enabling attackers to manipulate booking data, access sensitive customer information, or disrupt service availability. This can result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to unauthorized data access), financial losses from service disruption or fraud, and increased operational costs for incident response and remediation. Small and medium enterprises (SMEs) using WordPress with LatePoint are particularly vulnerable, as they may lack dedicated security teams to detect or mitigate such attacks promptly. The vulnerability also poses risks to administrators if the “WP users as customers” feature is enabled, potentially compromising higher privilege accounts and leading to broader system compromise. Given the widespread use of WordPress in Europe and the popularity of appointment booking plugins, the threat landscape is broad, affecting sectors such as healthcare, legal services, education, and retail that rely on online scheduling.

To mitigate CVE-2025-7052 effectively, organizations should: 1) Immediately update the LatePoint plugin to a patched version once released by the vendor; 2) If a patch is not yet available, temporarily disable or restrict access to the vulnerable AJAX endpoint (customer_cabinet__change_password) via web application firewall (WAF) rules or server configuration; 3) Implement custom nonce validation and user capability checks on the change_password() function to prevent unauthorized requests; 4) Enforce multi-factor authentication (MFA) for WordPress user accounts to reduce the impact of compromised credentials; 5) Educate users about phishing and social engineering risks to minimize the likelihood of clicking malicious links; 6) Monitor logs for suspicious password change requests and anomalous user activity; 7) Review and limit the use of the “WP users as customers” feature if not essential, to reduce attack surface; 8) Employ security plugins that detect and block CSRF attempts and unauthorized AJAX calls; 9) Conduct regular security audits and penetration tests focusing on plugin vulnerabilities; 10) Maintain up-to-date backups to enable recovery in case of compromise.