CVE-2025-7038 HIGH

CVE-2025-7038: LatePoint <= 5.1.94 - Unauthenticated Authentication Bypass via load_step Function

Vendor Latepoint
Product LatePoint – Calendar Booking Plugin for Appointments and Events
Weakness CWE-288
Published September 30, 2025
Last update April 8, 2026

CVSS base score

8.2/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

What the vulnerability does

01Description

The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied customer email and related customer fields before invoking the internal login handler without verifying login status, capability checks, or a valid AJAX nonce. This makes it possible for unauthenticated attackers to log into any customer’s account.

Explanation of Vulnerability in Simple Terms

02Summary

LatePoint versions up to 5.1.94 contain an authentication bypass vulnerability that allows unauthenticated attackers to read sensitive data from the plugin. The vulnerability requires no user interaction and can be exploited over the network. Site administrators should update to a version newer than 5.1.94 immediately.

What an attacker can do

03Attacker Capabilities

Read sensitive information from the plugin without logging in.

Potential impact on your site

04Site Impact

Attackers can access confidential booking, appointment, or user data stored by LatePoint.

Conditions required to exploit

05Prerequisites

Network access only; no authentication or user interaction required.

Key dates

06Disclosure timeline

September 30, 2025 CVE published
April 8, 2026 Record updated