CVE-2025-7038
BaseFortify
Publication date: 2025-09-30
Last updated on: 2025-10-02
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | wordpress | * |
| latepoint | latepoint | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability in the LatePoint WordPress plugin allows unauthenticated attackers to bypass authentication. It occurs because the plugin's AJAX endpoint steps__load_step does not properly verify the user's identity, login status, capabilities, or a valid AJAX nonce before processing a client-supplied customer email and related fields. As a result, attackers can log into any customer's account without proper authorization.
How can this vulnerability impact me? :
The vulnerability can allow attackers to gain unauthorized access to any customer's account within the LatePoint plugin. This can lead to unauthorized viewing or manipulation of customer data, potentially compromising sensitive information and undermining the security of the affected WordPress site.