CVE-2025-14873
Cross-Site Request Forgery in LatePoint WordPress Plugin Allows Admin Actions
Publication date: 2026-02-14
Last updated on: 2026-02-14
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| latepoint | calendar_booking_plugin | to 5.2.5 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-352 | The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-14873 is a Cross-Site Request Forgery (CSRF) vulnerability in the LatePoint β Calendar Booking Plugin for WordPress, affecting all versions up to and including 5.2.5.
The vulnerability exists because the 'call_by_route_name' function in the plugin's routing layer only validates user capabilities but does not enforce nonce verification. This lack of nonce checks allows unauthenticated attackers to trick a site administrator into performing administrative actions by sending forged requests.
How can this vulnerability impact me? :
This vulnerability can allow an attacker to perform multiple administrative actions on a vulnerable WordPress site without proper authorization, provided they can trick an administrator into clicking a malicious link.
Such unauthorized administrative actions could lead to changes in site settings, manipulation of booking data, or other administrative functions that the plugin controls, potentially compromising the integrity and operation of the site.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this vulnerability involves identifying if your system is running the LatePoint WordPress plugin version 5.2.5 or earlier, which is vulnerable to Cross-Site Request Forgery due to missing nonce verification.
You can check the plugin version installed on your WordPress site by running the following WP-CLI command:
- wp plugin list --status=active
Look for the LatePoint plugin and verify if its version is 5.2.5 or below.
Additionally, monitoring HTTP requests for suspicious forged administrative actions or unexpected POST requests to plugin routes without valid nonces may help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the LatePoint plugin to version 5.2.6 or later, which includes nonce verification and other security improvements that prevent Cross-Site Request Forgery attacks.'}, {'type': 'paragraph', 'content': 'If immediate updating is not possible, consider restricting administrative access to trusted users only and avoid clicking on untrusted links that could trigger forged requests.'}, {'type': 'paragraph', 'content': "Implementing Web Application Firewall (WAF) rules to block suspicious CSRF attempts targeting the plugin's routes can also help mitigate risk temporarily."}] [2]