High severity8.2NVD Advisory· Published Sep 30, 2025· Updated Apr 15, 2026
CVE-2025-7038
CVE-2025-7038
Description
The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied customer email and related customer fields before invoking the internal login handler without verifying login status, capability checks, or a valid AJAX nonce. This makes it possible for unauthenticated attackers to log into any customer’s account.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2Patches
Vulnerability mechanics
References
5- plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/latepoint.phpnvd
- plugins.trac.wordpress.org/browser/latepoint/tags/5.1.93/lib/controllers/steps_controller.phpnvd
- plugins.trac.wordpress.org/changesetnvd
- wordpress.org/plugins/latepoint/nvd
- www.wordfence.com/threat-intel/vulnerabilities/id/d7389e17-a357-481a-8716-3a93cb6afa7cnvd
News mentions
0No linked articles in our index yet.