A critical vulnerability has been identified in the LatePoint WordPress plugin, assigned CVE-2025-6715 with a CVSS score of 9.8. This flaw allows an unauthenticated attacker to include and execute arbitrary code on the server by manipulating a specific parameter. Successful exploitation could lead to a complete compromise of the website, resulting in data theft, service disruption, and further network intrusion.

The plugin is vulnerable to a Local File Inclusion (LFI) flaw in the layout parameter. An attacker can craft a malicious web request that uses this parameter to specify a file path on the server. Because the input is not properly sanitized, the application will include and execute the contents of the specified PHP file, leading to Remote Code Execution (RCE). This type of attack does not require authentication, making it easy to exploit via automated scanning tools.

This vulnerability is rated as critical severity with a CVSS score of 9.8, posing a significant and immediate threat to the organization. Exploitation can lead to a complete compromise of the web server, granting an attacker full control. Potential consequences include unauthorized access to and exfiltration of sensitive data (e.g., customer PII, appointment details, internal documents), website defacement, deployment of ransomware, and the use of the compromised server as a pivot point to attack other internal systems. This can result in severe reputational damage, financial loss, regulatory fines, and operational downtime.

Immediate Action: Update the LatePoint WordPress plugin to the patched version 5.1.94 or the latest available version immediately. After updating, verify that the website is functioning correctly.

Proactive Monitoring: System administrators should actively monitor web server access logs for any requests targeting the LatePoint plugin that contain the layout parameter with suspicious values, such as path traversal sequences (../), absolute file paths, or PHP wrappers (php://). Monitor for any unexpected file modifications or outbound network connections from the web server.

Compensating Controls: If patching cannot be performed immediately, implement the following controls:

• Use a Web Application Firewall (WAF) with rulesets designed to detect and block LFI and path traversal attack patterns.
• Temporarily disable the LatePoint plugin until it can be safely updated.
• Harden server permissions to restrict the web server user's ability to read sensitive files outside of the web root directory.

Public Exploit Available: true

Given the critical severity (CVSS 9.8) and the availability of a public exploit, immediate remediation is essential. All organizations using the vulnerable versions of the LatePoint plugin must prioritize installing the security update without delay. Due to the high risk of a full system compromise, it is strongly recommended to perform a compromise assessment after patching to ensure the server has not already been breached. Although not currently on the CISA KEV list, the nature of this vulnerability makes it a prime candidate for future inclusion and active exploitation by threat actors.