A high-severity authentication bypass vulnerability has been identified in the LatePoint plugin for WordPress. This flaw allows an unauthenticated attacker to bypass security checks and gain unauthorized access to functions within the plugin, potentially leading to data exposure, modification of appointments, and further compromise of the affected website. Immediate patching is required to mitigate the significant risk to data confidentiality and integrity.

The vulnerability exists due to insufficient identity verification in the latepoint_route_call AJAX action, specifically when handling the steps__load_step route. An unauthenticated attacker can send a specially crafted request to this endpoint. Because the endpoint fails to properly validate the user's session or privileges, the attacker can bypass authentication controls and execute functions that should be restricted to authenticated, privileged users.

This vulnerability is rated as High severity with a CVSS score of 8.2. Successful exploitation could lead to significant business disruption and data compromise. An attacker could potentially access and exfiltrate sensitive customer information and personally identifiable information (PII) stored by the booking plugin, modify or delete existing appointments, or create fraudulent ones. This poses a direct threat to data confidentiality and integrity, potentially resulting in reputational damage, customer distrust, and regulatory fines.

Immediate Action: Immediately update the LatePoint plugin to the latest version available (a version greater than 5) which contains the security patch for this vulnerability. After updating, review the WordPress site's security settings and user accounts for any signs of compromise. If the plugin is no longer required for business operations, it should be deactivated and removed completely.

Proactive Monitoring: Monitor web server and WAF (Web Application Firewall) logs for suspicious POST requests to the /wp-admin/admin-ajax.php endpoint. Specifically, look for requests containing action=latepoint_route_call and route_name=steps__load_step originating from untrusted or unusual IP addresses. Monitor for unauthorized changes to appointments or user data within the LatePoint system.

Compensating Controls: If immediate patching is not feasible, implement a Web Application Firewall (WAF) rule to block or flag requests to the vulnerable AJAX endpoint. Restrict access to the WordPress admin area (/wp-admin/) to trusted IP addresses only. Ensure the principle of least privilege is applied to all user accounts.

Public Exploit Available: false

Given the high severity (CVSS 8.2) and the critical nature of an authentication bypass, it is strongly recommended that organizations prioritize the immediate update of the LatePoint plugin on all WordPress instances. Although there is no evidence of active exploitation at this time, the risk of compromise is significant. Proactive patching is the most effective defense to prevent potential unauthorized access and protect sensitive customer data.