Introduction
Attackers can gain access to any customer account on thousands of WordPress sites running LatePoint, simply by sending a crafted request to a public AJAX endpoint. The LatePoint plugin is a popular appointment booking solution for WordPress, with over 7,000 active installations. A critical authentication bypass (CVE-2025-7038) was disclosed on September 30, 2025, affecting all versions up to and including 5.1.94. This flaw allows unauthenticated attackers to log in as any customer, exposing sensitive personal and business data. LatePoint is widely used by small and medium businesses for managing appointments, making the impact of this vulnerability significant for service providers and their clients.
Technical Information
CVE-2025-7038 is rooted in how the LatePoint plugin handles AJAX requests during the appointment booking process. Specifically, the vulnerability exists in the steps__load_step route of the latepoint_route_call AJAX endpoint. This endpoint is exposed to unauthenticated users via WordPress's wp_ajax_nopriv_ action registration, which means anyone can access it without logging in.
When a request is made to /wp-admin/admin-ajax.php with the action parameter set to latepoint_route_call and the route parameter set to steps__load_step, the plugin reads client-supplied fields such as customer email and other identifying information. Critically, the code then calls the internal login handler using these values, but it does not check if the requester is already authenticated, does not perform any capability checks, and does not validate a WordPress AJAX nonce. This means that any remote attacker can supply the email address of a LatePoint customer and the plugin will log them in as that customer, granting access to all associated customer data.
The root cause is the absence of authentication and authorization checks in the AJAX handler, combined with the exposure of the endpoint to unauthenticated users. The vulnerable logic is found in the following files in LatePoint version 5.1.93:
latepoint.phplib/controllers/steps_controller.php
The vulnerability is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel). Attackers do not need any credentials or prior access to exploit this issue. The only requirement is knowledge of a target customer email, which can often be guessed or harvested from public sources.
Detection Methods
Detecting vulnerabilities in software systems is a multifaceted process that involves various methodologies, each tailored to identify specific types of security flaws. Below are some of the primary detection methods employed:
Static Application Security Testing (SAST):
SAST involves analyzing source code or binaries without executing the program. This method focuses on identifying vulnerabilities such as buffer overflows, injection flaws, and hard-coded secrets early in the development lifecycle. Tools like Checkmarx, Fortify, SonarQube, and Veracode are commonly used for SAST. (audit3a.com)
Dynamic Application Security Testing (DAST):
DAST tests the running application to uncover vulnerabilities that manifest during execution. By simulating attacks like cross-site scripting (XSS) and SQL injection, DAST tools such as OWASP ZAP, Burp Suite, and Acunetix can identify issues that arise from real user interactions. (audit3a.com)
Penetration Testing:
Also known as ethical hacking, penetration testing involves simulating real-world cyberattacks to identify exploitable vulnerabilities. This hands-on approach combines manual techniques with automated tools like Metasploit and Kali Linux to assess the security posture of an application. (audit3a.com)
Code Review:
Manual inspection of the codebase by developers or security experts can uncover security flaws, logic errors, and poor coding practices that might lead to vulnerabilities. This proactive approach emphasizes critical areas such as authentication, authorization, error handling, and data input/output. (audit3a.com)
Dependency Scanning:
Applications often rely on third-party libraries and frameworks, which can introduce vulnerabilities if not properly managed. Dependency scanning tools like Snyk, WhiteSource, and OWASP Dependency-Check identify vulnerabilities in these components by checking their versions against databases of known issues. (audit3a.com)
Fuzz Testing:
Fuzz testing involves inputting large amounts of random, malformed, or unexpected data into a software application to identify vulnerabilities related to input handling. Tools such as American Fuzzy Lop (AFL) and Peach Fuzzer are used to detect issues like memory corruption or buffer overflows. (audit3a.com)
Security Audits:
Comprehensive reviews of software and its systems by security professionals can identify vulnerabilities and security risks. This includes examining configuration files, access control policies, encryption standards, and overall system architecture. Tools like OpenVAS, Nexpose, and Nessus facilitate these audits. (audit3a.com)
Threat Modeling:
This process involves identifying and prioritizing potential security threats to an application. By considering various attack vectors, developers can anticipate and mitigate vulnerabilities before they are introduced. (audit3a.com)
Deep Learning-Based Detection:
Advanced methods like VulDeePecker utilize deep learning to detect vulnerabilities by analyzing code snippets. This approach reduces reliance on manual feature engineering and can identify complex patterns indicative of security flaws. (arxiv.org)
Knowledge Graph-Based Detection:
Techniques employing knowledge graphs analyze relationships between code components to detect vulnerabilities. This method enhances the understanding of code semantics and can identify multi-level network source code vulnerabilities. (link.springer.com)
Automated Tools for Specific Vulnerabilities:
Tools like Log4j-CVE-Detect use YARA rules to detect specific vulnerabilities, such as those found in Log4j versions affected by CVE-2021-44228. These tools can analyze binary artifacts to identify vulnerable components. (github.com)
By integrating these detection methods, organizations can establish a robust security posture, effectively identifying and mitigating potential vulnerabilities in their software systems.
Detection reference: Wordfence Threat Intelligence
Affected Systems and Versions
CVE-2025-7038 affects the LatePoint plugin for WordPress in all versions up to and including 5.1.94. Any WordPress installation with LatePoint 5.1.94 or earlier is vulnerable if the plugin is active. The vulnerability is present regardless of specific configuration, as the affected AJAX endpoint is exposed by default.
Vendor Security History
LatePoint has a documented history of authentication and input validation flaws. In October 2024, Wordfence disclosed two critical vulnerabilities in LatePoint versions up to 5.0.12, including an authentication bypass and arbitrary password change via SQL injection. The vendor responded with patches and has maintained regular updates, but recurring authentication issues indicate persistent architectural weaknesses. The plugin is actively maintained, and security advisories are addressed in a timely manner, but the pattern of similar vulnerabilities suggests the need for deeper architectural review.