Plateforme
wordpress
Composant
latepoint
Corrigé dans
5.2.6
A Cross-Site Request Forgery (CSRF) vulnerability exists in the LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress. This flaw allows unauthenticated attackers to potentially perform administrative actions if they can trick a site administrator into clicking a malicious link. The vulnerability affects versions from 0.0.0 up to and including 5.2.5. A fix is available in version 5.2.6.
This CSRF vulnerability allows an attacker to execute actions as an authenticated administrator of the WordPress site. An attacker could leverage this to create, modify, or delete appointments, change plugin settings, or potentially gain access to sensitive data stored within the plugin. The attack relies on social engineering – convincing an administrator to visit a malicious webpage crafted by the attacker. Successful exploitation could lead to significant disruption of scheduling operations and compromise of administrative privileges.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low to medium probability of active exploitation. The vulnerability was publicly disclosed on 2026-02-14. It's crucial to prioritize patching to prevent potential exploitation.
WordPress sites using the LatePoint plugin, particularly those with shared hosting environments or those where administrators are not adequately trained in security best practices, are at increased risk. Sites with legacy configurations or those that haven't implemented robust security measures are also more vulnerable.
• wordpress / composer / npm:
grep -r 'call_by_route_name' /var/www/html/wp-content/plugins/latepoint-booking-plugin/*• generic web:
curl -I https://your-wordpress-site.com/ | grep -i 'referer'• wordpress / composer / npm:
wp plugin list --status=active | grep latepointdisclosure
Statut de l'Exploit
EPSS
0.03% (percentile 8%)
CISA SSVC
Vecteur CVSS
The primary mitigation is to upgrade the LatePoint plugin to version 5.2.6 or later, which includes the necessary nonce verification to prevent CSRF attacks. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, educate administrators about the risks of clicking on suspicious links and encourage them to regularly review plugin settings for any unauthorized changes. There are no specific configuration workarounds beyond the upgrade.
Mettre à jour vers la version 5.2.6, ou une version corrigée plus récente
Analyses de vulnérabilités et alertes critiques directement dans votre boîte mail.
CVE-2025-14873 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the LatePoint plugin for WordPress, allowing attackers to perform actions as an administrator.
You are affected if you are using LatePoint plugin versions 0.0.0 through 5.2.5. Upgrade to 5.2.6 or later to mitigate the risk.
Upgrade the LatePoint plugin to version 5.2.6 or later. Consider a WAF as a temporary mitigation if immediate upgrade is not possible.
There is no confirmed active exploitation at this time, but it's crucial to patch promptly to prevent potential attacks.
Refer to the LatePoint plugin's official website or WordPress plugin repository for the latest advisory and update information.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.
Téléverse ton fichier de dépendances et découvre instantanément si cette CVE et d'autres te touchent.