CVE-2025-12963
Published: 12 December 2025
Description
The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. This is due to the plugin not properly…
more
validating a user's identity via the 'wp-json/lazytasks/api/v1/user/role/edit/' REST API endpoint prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. It is also possible for attackers to abuse this endpoint to grant users with access to additional roles within the plugin
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on the vulnerable REST API endpoint to prevent unauthenticated privilege escalation via unauthorized user email and role updates.
Requires timely identification, reporting, and patching of the specific authorization flaw in the LazyTasks WordPress plugin to eliminate the vulnerability.
Manages account identifiers, attributes like email addresses, and plugin role memberships with identity validation to mitigate unauthorized modifications.
Security SummaryAI
CVE-2025-12963 is a critical privilege escalation vulnerability affecting the LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress, in all versions up to and including 1.2.29. The issue stems from the plugin's failure to properly validate a user's identity via the 'wp-json/lazytasks/api/v1/user/role/edit/' REST API endpoint before updating user details, such as email addresses. This flaw, classified under CWE-862 (Missing Authorization), has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-12-12.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. By abusing the vulnerable endpoint, they can arbitrarily change any user's email address, including those of administrators, and then leverage standard WordPress password reset functionality to take over the account. Additionally, attackers can grant targeted users access to additional roles within the plugin, potentially escalating their own privileges or those of other accounts.
Mitigation details are available in related advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/c6998185-0f9b-48ab-9dca-05adf5ae603a?source=cve and the plugin's WordPress.org page at https://wordpress.org/plugins/lazytasks-project-task-management/. Security practitioners should review these sources for patch availability, update recommendations, and workaround guidance.
Details
- CWE(s)
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated exploitation of a public-facing WordPress REST API endpoint (T1190) to manipulate user accounts by changing emails/roles for account takeover and privilege escalation (T1068, T1098).