High severity8.2NVD Advisory· Published Sep 30, 2025· Updated Apr 15, 2026

CVE-2025-7038

Description

The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied customer email and related customer fields before invoking the internal login handler without verifying login status, capability checks, or a valid AJAX nonce. This makes it possible for unauthenticated attackers to log into any customer’s account.

Affected products

WordPress/Latepointreferences
Package: https://wordpress.org/plugins/latepoint

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/latepoint.phpnvd
plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/lib/controllers/steps_controller.phpnvd
plugins.trac.wordpress.org/changesetnvd
wordpress.org/plugins/latepoint/nvd
www.wordfence.com/threat-intel/vulnerabilities/id/d7389e17-a357-481a-8716-3a93cb6afa7cnvd

News mentions

No linked articles in our index yet.

cvss	0.533
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000