CVE-2025-12963
Unknown Unknown - Not Provided
Privilege Escalation in LazyTasks Plugin via REST API Abuse

Publication date: 2025-12-12

Last updated on: 2025-12-12

Assigner: Wordfence

Description
The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. This is due to the plugin not properly validating a user's identity via the 'wp-json/lazytasks/api/v1/user/role/edit/' REST API endpoint prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. It is also possible for attackers to abuse this endpoint to grant users with access to additional roles within the plugin
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2025-12-12
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-12963
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpres lazy_tasks *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the LazyTasks WordPress plugin (up to version 1.2.29) and allows unauthenticated attackers to escalate privileges by exploiting improper validation of user identity in the 'wp-json/lazytasks/api/v1/user/role/edit/' REST API endpoint. Attackers can change arbitrary users' email addresses, including administrators', which enables them to reset passwords and take over accounts. Additionally, attackers can abuse this endpoint to grant users additional roles within the plugin.

Impact Analysis

The vulnerability can lead to unauthorized access to user accounts, including administrator accounts, by allowing attackers to reset passwords through email address changes. This can result in full compromise of the affected WordPress site, including unauthorized changes, data theft, or disruption of services. Attackers can also escalate privileges by assigning additional roles to users, increasing the potential damage.

Mitigation Strategies

To mitigate this vulnerability, immediately update the LazyTasks plugin to a version later than 1.2.29 where the issue is fixed. Additionally, review user accounts for unauthorized email changes or role escalations, and reset passwords for any potentially compromised accounts. Restrict access to the 'wp-json/lazytasks/api/v1/user/role/edit/' REST API endpoint if possible until the plugin is updated.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12963. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart