CVE-2025-6715

The LatePoint WordPress plugin, versions before 5.1.94, is vulnerable to an unauthenticated Local File Inclusion (LFI) flaw through the layout parameter. This vulnerability, reported as critical with a CVSS score of 9.8, allows an attacker to include arbitrary files from the server [1]. By controlling the layout parameter, an attacker can include a PHP file, and if the included file contains PHP code, that code will be executed on the server [1].

No authentication is required to exploit this vulnerability, making it accessible to any remote attacker. The attack surface is direct; an attacker simply needs to craft a request to the vulnerable plugin with a malicious value for the layout parameter [1]. The proof of concept demonstrates that this can be done without any prior access to the WordPress site [1].

The impact of successful exploitation is severe. An attacker can achieve remote code execution by including a PHP file that contains malicious code, such as a web shell [1]. This could lead to full site compromise, including data theft, privilege escalation, and further attacks on the server infrastructure. The vulnerability affects the core functionality of the plugin, and a proof of concept has been publicly disclosed, increasing the risk of exploitation [1].

The vulnerability has been fixed in version 5.1.94 of the LatePoint plugin [1]. Users are strongly advised to update to this patched version immediately. As of the publication date, no known workarounds have been provided, so updating is the primary mitigation [1].