The vulnerability identified as CVE-2025-12963 affects the LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress, versions up to and including 1.2.29. This plugin provides project and task management features integrated into WordPress, including collaboration tools and visual task tracking via Kanban and Gantt charts. The core issue is a missing authorization check (CWE-862) in the REST API endpoint 'wp-json/lazytasks/api/v1/user/role/edit/'. This endpoint allows modification of user details such as email addresses and roles. Because the plugin does not verify the identity or privileges of the requester, unauthenticated attackers can arbitrarily change any user's email address, including administrators. By changing an administrator's email, attackers can trigger password reset flows to gain full control over the account. Additionally, attackers can escalate privileges by assigning themselves or other users higher roles within the plugin, further compromising the system. The vulnerability is remotely exploitable without any authentication or user interaction, making it highly dangerous. The CVSS 3.1 base score of 9.8 reflects the ease of exploitation and the severe impact on confidentiality, integrity, and availability. Although no public exploits have been reported yet, the critical nature of this flaw demands urgent attention. The vulnerability affects all installations of the plugin up to version 1.2.29, and no official patches or updates have been linked yet, increasing the risk window for affected users.

For European organizations, this vulnerability poses a significant risk to the security of WordPress-based project management environments. Successful exploitation can lead to full account takeover of administrative users, enabling attackers to manipulate project data, access sensitive business information, and disrupt collaboration workflows. The integrity and availability of project management data can be compromised, potentially causing operational delays and loss of trust. Confidential information related to projects, clients, and internal communications may be exposed or altered. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, face additional compliance risks and potential legal consequences. The ease of exploitation without authentication means attackers can target vulnerable sites en masse, increasing the likelihood of widespread compromise. Given the plugin’s collaborative nature, lateral movement within the WordPress environment and escalation to other connected systems is also a concern. This vulnerability could also be leveraged as a foothold for deploying ransomware or other malware, amplifying the impact.

Immediate mitigation steps include disabling the LazyTasks plugin until a security patch is released. Organizations should monitor official vendor channels for updates and apply patches as soon as they become available. In the interim, restricting access to the REST API endpoints via web application firewall (WAF) rules or server-level access controls can help block unauthorized requests to 'wp-json/lazytasks/api/v1/user/role/edit/'. Implementing strict IP whitelisting or authentication requirements for REST API access is recommended. Regularly audit user accounts and roles for unauthorized changes and reset passwords for any suspicious accounts. Employ multi-factor authentication (MFA) on all administrative WordPress accounts to reduce the risk of account takeover. Conduct thorough logging and monitoring of REST API usage to detect anomalous activity. Additionally, organizations should review their WordPress security posture, including plugin management policies, to minimize exposure to similar vulnerabilities. Backup critical data frequently and ensure backups are stored securely offline to enable recovery in case of compromise.