WordPress Plugin Vulnerabilities

LatePoint – Calendar Booking Plugin for Appointments and Events < 5.2.6 - Cross-Site Request Forgery

Description

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to the 'call_by_route_name' function in the routing layer only validating user capabilities without enforcing nonce verification. This makes it possible for unauthenticated attackers to perform multiple administrative actions via forged requests granted they can trick a site administrator into performing an action such as clicking on a link.

Affects Plugins

Plugin icon
latepoint
Fixed in 5.2.6

References

CVE
CVE-2025-14873
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/1f7aa23c-ffa7-481b-8481-a36c7ed599d8

Classification

Type
CSRF
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-352
CVSS
4.3 (medium)

Miscellaneous

Original Researcher
Moose Love
Verified
No
WPVDB ID
75e53ea9-60c0-4541-bc78-2990b87985f2

Timeline

Publicly Published
2026-02-13 (about 3 months ago)
Added
2026-02-13 (about 3 months ago)
Last Updated
2026-02-14 (about 2 months ago)

Other

Published
Title
Published
2025-05-10
Title
Premmerce Product Search for WooCommerce < 2.2.5 - Cross-Site Request Forgery
Published
2026-01-06
Title
Latest Tabs <= 1.5 - Cross-Site Request Forgery to Plugin's Settings Update
Published
2023-04-12
Title
ChatBot < 4.4.5 - Stored XSS via CSRF
Published
2025-04-17
Title
mLanguage <= 1.6.1 - Cross-Site Request Forgery
Published
2024-04-19
Title
WordPress Automatic Plugin < 3.93.0 Cross-Site Request Forgery