Atomic Edge analysis of CVE-2025-14873:
The LatePoint WordPress plugin, versions up to and including 5.2.5, contains a Cross-Site Request Forgery (CSRF) vulnerability in its routing layer. The vulnerability allows unauthenticated attackers to perform administrative actions by tricking an authenticated administrator into submitting a forged request. The CVSS score of 4.3 reflects a medium severity rating.

Atomic Edge research identified the root cause in the ‘call_by_route_name’ function within the plugin’s routing layer. This function validates user capabilities but lacks nonce verification for administrative actions. The code diff shows multiple controller methods missing nonce checks before executing administrative operations. Specifically, the vulnerable functions include ‘update_steps_order’ in settings_controller.php, ‘set_menu_layout_style’ in settings_controller.php, ‘remove_chain_schedule’ in settings_controller.php, ‘remove_custom_day_schedule’ in settings_controller.php, ‘save_service’ in wizard_controller.php, and ‘save_agent’ in wizard_controller.php.

Exploitation requires an attacker to craft malicious requests targeting the plugin’s AJAX endpoints. Attackers can create forged links or forms that trigger administrative actions when visited by an authenticated administrator. The attack vector uses the plugin’s routing system via the ‘data-os-action’ parameter in HTML elements or direct POST requests to the WordPress admin-ajax.php endpoint with the appropriate action parameter. The payload would include administrative parameters like ‘steps_order’, ‘menu_layout_style’, ‘chain_id’, ‘date’, ‘agent_id’, or service/agent data without requiring a valid nonce.

The patch in version 5.2.6 adds nonce verification to all vulnerable controller methods. Each patched function now calls ‘$this->check_nonce()’ with a specific nonce name before executing administrative operations. The diff shows nonce checks added to six controller methods across three files. Additionally, the patch updates HTML data attributes to include nonce parameters via ‘OsUtilHelper::build_os_params()’ calls in work_periods_helper.php and various view files. The before behavior allowed capability-checked requests without nonce validation. The after behavior requires both proper capabilities and valid nonces for all administrative actions.

Successful exploitation enables attackers to perform multiple administrative actions. These actions include reordering booking steps, changing menu layout styles, removing custom schedules, deleting day-off ranges, and creating or modifying services and agents. Attackers could disrupt business operations, modify booking workflows, or delete scheduling configurations. The vulnerability does not provide direct remote code execution or data exfiltration, but it allows unauthorized administrative changes that could impact service availability and business continuity.