CVE-2025-14064
Unknown Unknown - Not Provided
Unauthorized Access in BuddyTask Plugin via Missing Capability Checks

Publication date: 2025-12-12

Last updated on: 2026-04-08

Assigner: Wordfence

Description
The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view, create, modify, and delete task boards belonging to any BuddyPress group, including private and hidden groups they are not members of.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-12
Last Modified
2026-04-08
Generated
2026-06-16
AI Q&A
2025-12-12
EPSS Evaluated
2026-06-15
NVD
CVE-2025-14064
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress buddytask *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The BuddyTask plugin for WordPress has a vulnerability due to missing capability checks on multiple AJAX endpoints in versions up to 1.3.0. This allows authenticated users with Subscriber-level access or higher to access and modify task boards of any BuddyPress group, including private and hidden groups they do not belong to.

Impact Analysis

This vulnerability can allow unauthorized users with low-level access to view, create, modify, and delete task boards in any BuddyPress group, including private and hidden ones. This could lead to data exposure, unauthorized data modification, and potential disruption of group activities.

Compliance Impact

The vulnerability allows authenticated users with Subscriber-level access to view, create, modify, and delete task boards belonging to any BuddyPress group, including private and hidden groups they are not members of. This unauthorized access and modification of potentially sensitive data could lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on access to personal and sensitive information. Therefore, this vulnerability negatively impacts compliance by enabling unauthorized data exposure and modification. [2, 4]

Mitigation Strategies

To mitigate the vulnerability in the BuddyTask plugin (versions up to and including 1.3.0), immediately update the plugin to version 1.4.0 or later, which includes enhanced permission checks and security improvements. Additionally, ensure that BuddyPress is updated to version 2.5.0 or higher as required by the plugin. Review user permissions to restrict Subscriber-level users from unauthorized access until the update is applied. [2, 4]

Detection Guidance

This vulnerability affects BuddyTask plugin versions up to and including 1.3.0. Detection can be done by checking the installed BuddyTask plugin version on your WordPress site. You can detect the vulnerable version by running WP-CLI commands to list installed plugins and their versions, for example: `wp plugin list | grep buddytask`. If the version is 1.3.0 or lower, the site is vulnerable. Additionally, monitoring AJAX requests to the BuddyTask plugin endpoints (such as get_board, add_new_task, edit_task, delete_task, reorder_task) without proper capability checks could indicate exploitation attempts. However, no specific detection commands or network signatures are provided in the resources. [2, 4]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-14064. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart