Introduction
Account takeovers and unauthorized password resets have immediate business impact for any organization using WordPress for appointment scheduling. The LatePoint plugin, active on over 7,000 WordPress sites, is a central scheduling solution for healthcare, services, and education providers. Its wide adoption and integration with customer data make vulnerabilities in LatePoint especially significant for the WordPress ecosystem.
Technical Information
CVE-2025-7052 is a Cross-Site Request Forgery vulnerability in the LatePoint WordPress plugin, affecting all versions up to and including 5.1.94. The root cause is missing nonce validation in the change_password() function of the customer_cabinet__change_password AJAX route. This function is implemented in the OsCustomerCabinetController class. The endpoint is registered with both wp_ajax and wp_ajax_nopriv, which means it is accessible to both authenticated and unauthenticated users. However, the function does not check for a valid WordPress nonce or user capabilities before processing the password change request.
This design flaw allows an attacker to craft a CSRF payload (for example, a hidden form or JavaScript on a malicious site) that submits a password change request on behalf of a logged-in user. When the victim visits the attacker's site while authenticated to the vulnerable WordPress instance, the browser automatically includes the session cookies, and the password is reset without the user's knowledge or consent. If the "WP users as customers" setting is enabled, this can also affect WordPress administrator accounts.
The vulnerability is classified as CWE-352 (Cross-Site Request Forgery). The relevant code can be reviewed at the following public sources:
Affected Systems and Versions
- Product: LatePoint WordPress plugin
- Affected versions: All versions up to and including 5.1.94
- Vulnerable configuration: All sites with LatePoint <= 5.1.94. Sites with "WP users as customers" enabled are at higher risk, as administrator accounts can be targeted.
Vendor Security History
LatePoint has experienced multiple critical vulnerabilities in recent years. In 2024, unauthenticated authentication bypass and arbitrary password change vulnerabilities were reported (see Wordfence 2024 advisory). The vendor has generally responded with timely patches, but the recurrence of basic security issues such as missing nonce validation and improper access controls indicates persistent gaps in secure development practices and code review.