CVE-2025-7052 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the LatePoint plugin for WordPress, a popular calendar booking and appointment management tool. The vulnerability arises from the lack of nonce validation and user capability checks on the change_password() function exposed via the customer_cabinet__change_password AJAX route. This endpoint is hooked through both wp_ajax and wp_ajax_nopriv actions, meaning it is accessible to both authenticated and unauthenticated users. Because the plugin does not verify a nonce token or user permissions before processing password changes, an attacker can craft a malicious URL or webpage that, when visited by a logged-in user (customer or administrator if “WP users as customers” is enabled), triggers an unauthorized password reset. This allows the attacker to hijack the victim’s account without needing prior authentication or complex exploitation techniques. The vulnerability affects all versions up to and including 5.1.94. The CVSS 3.1 base score is 8.8 (high), reflecting the network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, and high impact on confidentiality, integrity, and availability. Although no known exploits are currently in the wild, the vulnerability’s nature and ease of exploitation make it a critical risk for affected sites. The lack of patch links suggests that a fix may not yet be publicly available, emphasizing the need for immediate attention from site administrators.

This vulnerability allows attackers to take over user accounts by resetting passwords without authorization, compromising user confidentiality and integrity. For customers, this means loss of control over their booking accounts, potential exposure of personal data, and disruption of services. For administrators (if configured as customers), the impact is even more severe, potentially leading to full site compromise, data breaches, and unauthorized administrative actions. The availability of the service can also be affected if attackers lock out legitimate users or administrators. Organizations relying on LatePoint for appointment management risk operational disruption, reputational damage, and regulatory consequences if sensitive customer data is exposed or manipulated. The vulnerability’s exploitation requires only that the victim be logged in and visit a malicious link, making phishing or social engineering attacks a likely vector. Given the widespread use of WordPress and the popularity of booking plugins, the potential attack surface is significant worldwide.

1. Immediately update the LatePoint plugin to a patched version once available from the vendor. Monitor official channels for patch releases. 2. Until a patch is released, implement Web Application Firewall (WAF) rules to block unauthorized POST requests to the customer_cabinet__change_password AJAX endpoint, especially those lacking valid nonce tokens or originating from suspicious sources. 3. Disable or restrict the AJAX endpoint if possible via custom code or plugin settings to prevent password changes through this route. 4. Enforce multi-factor authentication (MFA) for all users to reduce the impact of compromised credentials. 5. Educate users and administrators about phishing risks and the dangers of clicking unknown links while logged in. 6. Regularly audit user accounts and password change logs to detect suspicious activity. 7. Consider temporarily disabling the “WP users as customers” feature if enabled, to reduce administrative risk. 8. Employ security plugins that enforce nonce validation and capability checks on AJAX endpoints as an interim protective measure. 9. Monitor network traffic for unusual requests targeting the vulnerable endpoint. 10. Backup site data frequently to enable recovery in case of compromise.