CVE-2025-7038
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-7038, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-09-30

Last updated on: 2025-10-02

Assigner: Wordfence

Description

The LatePoint plugin for WordPress is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint in all versions up to, and including, 5.1.94. The endpoint reads the client-supplied customer email and related customer fields before invoking the internal login handler without verifying login status, capability checks, or a valid AJAX nonce. This makes it possible for unauthenticated attackers to log into any customer’s account.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-09-30
Last Modified
2025-10-02
Generated
2026-07-07
AI Q&A
2025-09-30
EPSS Evaluated
2026-07-06
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
wordpress wordpress *
latepoint latepoint *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-288 The product requires authentication, but the product has an alternate path or channel that does not require authentication.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in the LatePoint WordPress plugin allows unauthenticated attackers to bypass authentication. It occurs because the plugin's AJAX endpoint steps__load_step does not properly verify the user's identity, login status, capabilities, or a valid AJAX nonce before processing a client-supplied customer email and related fields. As a result, attackers can log into any customer's account without proper authorization.

Impact Analysis

The vulnerability can allow attackers to gain unauthorized access to any customer's account within the LatePoint plugin. This can lead to unauthorized viewing or manipulation of customer data, potentially compromising sensitive information and undermining the security of the affected WordPress site.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-7038. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart