Platform
wordpress
Component
latepoint
Opgelost in
5.2.6
A Cross-Site Request Forgery (CSRF) vulnerability exists in the LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress. This flaw allows unauthenticated attackers to potentially perform administrative actions if they can trick a site administrator into clicking a malicious link. The vulnerability affects versions from 0.0.0 up to and including 5.2.5. A fix is available in version 5.2.6.
This CSRF vulnerability allows an attacker to execute actions as an authenticated administrator of the WordPress site. An attacker could leverage this to create, modify, or delete appointments, change plugin settings, or potentially gain access to sensitive data stored within the plugin. The attack relies on social engineering – convincing an administrator to visit a malicious webpage crafted by the attacker. Successful exploitation could lead to significant disruption of scheduling operations and compromise of administrative privileges.
This vulnerability is currently not listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low to medium probability of active exploitation. The vulnerability was publicly disclosed on 2026-02-14. It's crucial to prioritize patching to prevent potential exploitation.
WordPress sites using the LatePoint plugin, particularly those with shared hosting environments or those where administrators are not adequately trained in security best practices, are at increased risk. Sites with legacy configurations or those that haven't implemented robust security measures are also more vulnerable.
• wordpress / composer / npm:
grep -r 'call_by_route_name' /var/www/html/wp-content/plugins/latepoint-booking-plugin/*• generic web:
curl -I https://your-wordpress-site.com/ | grep -i 'referer'• wordpress / composer / npm:
wp plugin list --status=active | grep latepointdisclosure
Exploit Status
EPSS
0.03% (8% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade the LatePoint plugin to version 5.2.6 or later, which includes the necessary nonce verification to prevent CSRF attacks. If upgrading immediately is not possible, consider implementing a Web Application Firewall (WAF) with CSRF protection rules to filter out malicious requests. Additionally, educate administrators about the risks of clicking on suspicious links and encourage them to regularly review plugin settings for any unauthorized changes. There are no specific configuration workarounds beyond the upgrade.
Update naar versie 5.2.6, of een nieuwere gepatchte versie
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-14873 is a Cross-Site Request Forgery (CSRF) vulnerability affecting the LatePoint plugin for WordPress, allowing attackers to perform actions as an administrator.
You are affected if you are using LatePoint plugin versions 0.0.0 through 5.2.5. Upgrade to 5.2.6 or later to mitigate the risk.
Upgrade the LatePoint plugin to version 5.2.6 or later. Consider a WAF as a temporary mitigation if immediate upgrade is not possible.
There is no confirmed active exploitation at this time, but it's crucial to patch promptly to prevent potential attacks.
Refer to the LatePoint plugin's official website or WordPress plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.