CVE-2025-12963 is a critical security vulnerability identified in the LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress, affecting all versions up to and including 1.2.29. The root cause is a missing authorization check (CWE-862) in the REST API endpoint 'wp-json/lazytasks/api/v1/user/role/edit/'. This endpoint allows modification of user details such as email addresses without validating the requester's identity or privileges. Consequently, an unauthenticated attacker can arbitrarily change any user's email address, including those of administrators. By changing the email, the attacker can trigger password reset mechanisms to gain full account control. Furthermore, the attacker can abuse the same endpoint to assign elevated roles to users, effectively escalating privileges within the plugin's context. The vulnerability requires no authentication or user interaction and can be exploited remotely over the network. The CVSS v3.1 base score of 9.8 underscores the critical nature of this flaw, with impacts spanning confidentiality, integrity, and availability. While no public exploits are currently known, the ease of exploitation and potential damage make this a high-priority threat for affected WordPress sites. The vulnerability was reserved on November 10, 2025, and published on December 12, 2025, by Wordfence. No official patches or updates have been linked yet, emphasizing the need for immediate defensive measures.

The vulnerability allows attackers to take over any user account on affected WordPress sites running the LazyTasks plugin, including administrator accounts. This compromises the confidentiality of sensitive project and task management data and allows attackers to manipulate or delete data, impacting integrity. Attackers can disrupt service availability by locking out legitimate users or deleting critical project information. The ability to escalate privileges and gain administrative access can lead to full site compromise, including installation of backdoors, data exfiltration, or pivoting to other network resources. Organizations relying on this plugin for project management and collaboration face risks of operational disruption, intellectual property theft, and reputational damage. The vulnerability's remote, unauthenticated exploitability increases the likelihood of widespread attacks, especially on publicly accessible WordPress sites. The absence of known exploits currently provides a window for mitigation, but the critical severity demands urgent attention.

Until an official patch is released, organizations should immediately restrict access to the vulnerable REST API endpoint by implementing web application firewall (WAF) rules that block unauthenticated requests to 'wp-json/lazytasks/api/v1/user/role/edit/'. Administrators should audit user accounts for unauthorized email changes or role escalations and reset passwords for any suspicious accounts. Disabling or uninstalling the LazyTasks plugin temporarily can prevent exploitation if project management functionality is not critical. Monitoring logs for unusual API activity and failed password reset attempts can help detect exploitation attempts. Once a patch is available, it should be applied promptly. Additionally, enforcing multi-factor authentication (MFA) for all administrative accounts can mitigate the impact of compromised credentials. Regular backups of WordPress sites and databases should be maintained to enable recovery from potential attacks. Finally, organizations should review and limit plugin usage to trusted and actively maintained components to reduce attack surface.