CVE-2025-7052

Name of the Vulnerable Software and Affected Versions LatePoint plugin for WordPress versions through 5.1.94

Description The software is susceptible to Cross-Site Request Forgery due to the absence of nonce validation. This occurs on the change password() function within the customer cabinet change password AJAX route. The plugin utilizes wp ajax and wp ajax nopriv hooks for this endpoint without verifying a nonce or user capability before allowing password resets. This allows unauthenticated attackers to potentially take over accounts by tricking logged-in customers, or administrators with “WP users as customers” enabled, into visiting a malicious link.

Recommendations Update the LatePoint plugin to a version newer than 5.1.94.