What the vulnerability does
01Description
The LatePoint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.1.94. This is due to missing nonce validation on the change_password() function of its customer_cabinet__change_password AJAX route. The plugin hooks this endpoint via wp_ajax and wp_ajax_nopriv but does not verify a nonce or user capability before resetting the user’s password. This makes it possible for unauthenticated attackers who trick a logged-in customer (or, with “WP users as customers” enabled, an administrator) into visiting a malicious link to take over their account.
Explanation of Vulnerability in Simple Terms
02Summary
LatePoint versions up to 5.1.94 are vulnerable to cross-site request forgery (CSRF) attacks. An attacker can craft a malicious webpage that, when visited by a logged-in site administrator, performs unwanted actions on the booking plugin without their knowledge or consent. This could allow unauthorized modification of appointments, settings, or other plugin data. Update to a version newer than 5.1.94 to resolve this issue.
What an attacker can do
03Attacker Capabilities
Perform unauthorized actions on the booking plugin by tricking an admin into visiting a malicious webpage.
Potential impact on your site
04Site Impact
Attackers can modify appointments, settings, or other booking data without your knowledge if admins visit malicious links.
Conditions required to exploit
05Prerequisites
Admin must be logged in and visit attacker-controlled webpage; no special privileges required from attacker.
Key dates
06Disclosure timeline
September 30, 2025
CVE published
April 8, 2026
Record updated
