CVE-2025-14064
Unauthorized Access in BuddyTask Plugin via Missing Capability Checks
Publication date: 2025-12-12
Last updated on: 2026-04-08
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| wordpress | buddytask | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with Subscriber-level access to view, create, modify, and delete task boards belonging to any BuddyPress group, including private and hidden groups they are not members of. This unauthorized access and modification of potentially sensitive data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information. Therefore, this vulnerability negatively impacts compliance by enabling unauthorized data exposure and modification. [2, 4]
Can you explain this vulnerability to me?
The BuddyTask plugin for WordPress has a vulnerability due to missing capability checks on multiple AJAX endpoints in versions up to 1.3.0. This allows authenticated users with Subscriber-level access or higher to access and modify task boards of any BuddyPress group, including private and hidden groups they do not belong to.
How can this vulnerability impact me? :
This vulnerability can allow unauthorized users with low-level access to view, create, modify, and delete task boards in any BuddyPress group, including private and hidden ones. This could lead to data exposure, unauthorized data modification, and potential disruption of group activities.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in the BuddyTask plugin (versions up to and including 1.3.0), immediately update the plugin to version 1.4.0 or later, which includes enhanced permission checks and security improvements. Additionally, ensure that BuddyPress is updated to version 2.5.0 or higher as required by the plugin. Review user permissions to restrict Subscriber-level users from unauthorized access until the update is applied. [2, 4]
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects BuddyTask plugin versions up to and including 1.3.0. Detection can be done by checking the installed BuddyTask plugin version on your WordPress site. You can detect the vulnerable version by running WP-CLI commands to list installed plugins and their versions, for example: `wp plugin list | grep buddytask`. If the version is 1.3.0 or lower, the site is vulnerable. Additionally, monitoring AJAX requests to the BuddyTask plugin endpoints (such as get_board, add_new_task, edit_task, delete_task, reorder_task) without proper capability checks could indicate exploitation attempts. However, no specific detection commands or network signatures are provided in the resources. [2, 4]