CVE-2025-14873: LatePoint WordPress Plugin CSRF Vulnerability

CVE-2025-14873 Overview

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability in all versions up to and including 5.2.5. The vulnerability exists in the call_by_route_name function within the plugin's routing layer, which only validates user capabilities without enforcing nonce verification. This security flaw allows unauthenticated attackers to perform multiple administrative actions via forged requests, provided they can trick a site administrator into performing an action such as clicking on a malicious link.

Critical Impact

Unauthenticated attackers can execute administrative actions on affected WordPress sites by exploiting missing nonce verification in the routing layer, potentially leading to unauthorized modifications to booking configurations and appointment data.

Affected Products

• LatePoint – Calendar Booking Plugin for Appointments and Events for WordPress versions up to and including 5.2.5

Discovery Timeline

• 2026-02-14 - CVE CVE-2025-14873 published to NVD
• 2026-02-18 - Last updated in NVD database

Technical Details for CVE-2025-14873

Vulnerability Analysis

This vulnerability is classified as CWE-352: Cross-Site Request Forgery. The root issue lies in the plugin's routing architecture where administrative function calls are processed without proper CSRF protection mechanisms. The call_by_route_name function serves as a central routing handler that dispatches requests to various administrative endpoints. While the function implements capability checks to verify that the requesting user has appropriate permissions, it fails to validate that requests originate from legitimate sources through nonce verification.

In WordPress security best practices, nonces serve as one-time tokens that validate the authenticity of form submissions and AJAX requests. Without nonce verification, the plugin cannot distinguish between legitimate administrator-initiated requests and forged requests crafted by attackers. This oversight creates an exploitable attack surface where malicious actors can construct specially crafted requests that execute administrative actions when an authenticated administrator unknowingly triggers them.

Root Cause

The vulnerability stems from an incomplete implementation of WordPress security controls in the plugin's routing layer. The call_by_route_name function performs user capability validation to ensure only users with appropriate roles can execute administrative functions, but it omits the critical step of nonce verification. WordPress provides the wp_verify_nonce() function and related APIs specifically to prevent CSRF attacks, but these protections were not implemented in the affected code paths. This architectural oversight allows attackers to bypass the security model by leveraging an authenticated administrator's existing session.

Attack Vector

The attack requires network access and user interaction, specifically requiring an authenticated administrator to trigger the malicious request. An attacker would craft a specially designed HTML page or link containing a forged request targeting the vulnerable plugin endpoints. The attacker must then use social engineering techniques to convince a logged-in WordPress administrator to visit the malicious page or click the crafted link while their administrative session is active.

When the administrator's browser processes the malicious request, it automatically includes their authentication cookies, causing the WordPress server to accept the forged request as a legitimate administrative action. This can result in unauthorized modifications to plugin settings, booking configurations, service definitions, or other administrative data managed by the LatePoint plugin.

Detection Methods for CVE-2025-14873

Indicators of Compromise

• Unexpected modifications to LatePoint plugin settings or booking configurations
• Administrative actions logged in WordPress audit trails that administrators did not intentionally perform
• Suspicious referrer headers in web server logs indicating requests originated from external domains
• Unusual patterns of administrative API calls targeting LatePoint plugin endpoints

Detection Strategies

• Monitor WordPress audit logs for administrative actions on the LatePoint plugin that lack corresponding user activity
• Implement web application firewall (WAF) rules to detect and block requests with suspicious referrer headers targeting admin endpoints
• Review server access logs for POST requests to LatePoint administrative routes originating from external referrers
• Deploy endpoint detection solutions capable of identifying browser-based CSRF attack patterns

Monitoring Recommendations

• Enable comprehensive WordPress activity logging to track all plugin configuration changes
• Configure alerting for administrative actions performed outside normal business hours or from unusual IP addresses
• Implement real-time monitoring for modifications to critical booking and appointment settings
• Establish baseline patterns for legitimate administrative activity to detect anomalous behavior

How to Mitigate CVE-2025-14873

Immediate Actions Required

• Update the LatePoint plugin to a version newer than 5.2.5 that includes the security patch
• Review recent plugin configuration changes for any unauthorized modifications
• Audit booking data and appointment settings for unexpected alterations
• Educate administrators about the risks of clicking untrusted links while logged into WordPress

Patch Information

The vulnerability has been addressed in newer versions of the LatePoint plugin. The security fix can be reviewed in the WordPress Plugin Changeset. Site administrators should update to the latest available version through the WordPress plugin repository. Additional technical details about this vulnerability are available in the Wordfence Vulnerability Report.

Workarounds

• Limit administrative access to the WordPress dashboard to trusted networks or VPN connections until the patch can be applied
• Implement additional CSRF protection at the web application firewall level for LatePoint administrative endpoints
• Advise administrators to use dedicated browser sessions for WordPress administration and avoid clicking external links while logged in
• Consider temporarily disabling the LatePoint plugin if immediate patching is not feasible and the plugin is not critical to operations