CVE-2025-14873
Unknown Unknown - Not Provided
Cross-Site Request Forgery in LatePoint WordPress Plugin Allows Admin Actions

Publication date: 2026-02-14

Last updated on: 2026-02-14

Assigner: Wordfence

Description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to the 'call_by_route_name' function in the routing layer only validating user capabilities without enforcing nonce verification. This makes it possible for unauthenticated attackers to perform multiple administrative actions via forged requests granted they can trick a site administrator into performing an action such as clicking on a link.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-14
Last Modified
2026-02-14
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14873
EUVD
EUVD-2025-206971
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
latepoint calendar_booking_plugin to 5.2.5 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2025-14873 is a Cross-Site Request Forgery (CSRF) vulnerability in the LatePoint – Calendar Booking Plugin for WordPress, affecting all versions up to and including 5.2.5.

The vulnerability exists because the 'call_by_route_name' function in the plugin's routing layer only validates user capabilities but does not enforce nonce verification. This lack of nonce checks allows unauthenticated attackers to trick a site administrator into performing administrative actions by sending forged requests.

Impact Analysis

This vulnerability can allow an attacker to perform multiple administrative actions on a vulnerable WordPress site without proper authorization, provided they can trick an administrator into clicking a malicious link.

Such unauthorized administrative actions could lead to changes in site settings, manipulation of booking data, or other administrative functions that the plugin controls, potentially compromising the integrity and operation of the site.

Compliance Impact

I don't know

Detection Guidance

Detection of this vulnerability involves identifying if your system is running the LatePoint WordPress plugin version 5.2.5 or earlier, which is vulnerable to Cross-Site Request Forgery due to missing nonce verification.

You can check the plugin version installed on your WordPress site by running the following WP-CLI command:

  • wp plugin list --status=active

Look for the LatePoint plugin and verify if its version is 5.2.5 or below.

Additionally, monitoring HTTP requests for suspicious forged administrative actions or unexpected POST requests to plugin routes without valid nonces may help detect exploitation attempts.

Mitigation Strategies

[{'type': 'paragraph', 'content': 'The primary mitigation step is to update the LatePoint plugin to version 5.2.6 or later, which includes nonce verification and other security improvements that prevent Cross-Site Request Forgery attacks.'}, {'type': 'paragraph', 'content': 'If immediate updating is not possible, consider restricting administrative access to trusted users only and avoid clicking on untrusted links that could trigger forged requests.'}, {'type': 'paragraph', 'content': "Implementing Web Application Firewall (WAF) rules to block suspicious CSRF attempts targeting the plugin's routes can also help mitigate risk temporarily."}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14873. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart