Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
LatePoint WordPress Plugin Allows Unauthenticated Admin Actions
CVE-2025-14873
Summary
If an attacker tricks an administrator into clicking a malicious link, they can perform unauthorized actions on the WordPress site using the LatePoint plugin. This is a security risk because it allows unauthorized changes to the site's settings. To protect your site, update the LatePoint plugin to version 5.2.6 or later.
Original title
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to the ...
Original description
The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to the 'call_by_route_name' function in the routing layer only validating user capabilities without enforcing nonce verification. This makes it possible for unauthenticated attackers to perform multiple administrative actions via forged requests granted they can trick a site administrator into performing an action such as clicking on a link.
nvd CVSS3.1
4.3
Vulnerability type
CWE-352
Cross-Site Request Forgery (CSRF)
Published: 14 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026