CVE-2025-14064 is a vulnerability identified in the BuddyTask plugin for WordPress, developed by cytechltd, affecting all versions up to and including 1.3.0. The core issue is a missing authorization check (CWE-862) on multiple AJAX endpoints, which are used to manage task boards within BuddyPress groups. This flaw allows any authenticated user with at least Subscriber-level privileges to bypass intended access controls and perform unauthorized actions such as viewing, creating, modifying, and deleting task boards belonging to any BuddyPress group, including those marked as private or hidden, even if the user is not a member of those groups. The vulnerability arises because the plugin fails to verify whether the requesting user has the necessary capabilities or group membership before processing AJAX requests. The CVSS v3.1 base score is 6.5 (medium severity), reflecting the network attack vector, low attack complexity, no privileges required beyond Subscriber, and no user interaction needed. The impact primarily affects confidentiality and integrity of group task data, with no direct availability impact. No patches are currently linked, and no known exploits have been reported in the wild, but the vulnerability presents a significant risk in collaborative environments relying on BuddyTask and BuddyPress. The flaw could be exploited by malicious insiders or compromised low-privilege accounts to manipulate sensitive group task information.

For European organizations, this vulnerability threatens the confidentiality and integrity of task management data within BuddyPress groups, which are often used for internal collaboration and project management. Unauthorized access to private and hidden group task boards could lead to exposure of sensitive project details, strategic plans, or confidential communications. Malicious actors could alter or delete task boards, disrupting workflows and causing operational inefficiencies. Since exploitation requires only Subscriber-level access, attackers could leverage compromised low-privilege accounts or social engineering to gain initial access and then escalate their impact through this vulnerability. Organizations in sectors with strict data protection regulations, such as finance, healthcare, and government, could face compliance risks and reputational damage if sensitive data is exposed or manipulated. The lack of patches increases the window of exposure, emphasizing the need for immediate mitigations. The vulnerability does not affect availability directly but could indirectly impact business continuity through data tampering.

1. Immediately restrict user role assignments to minimize the number of users with Subscriber-level or higher access, especially in environments where BuddyTask is installed. 2. Implement strict monitoring and logging of AJAX endpoint requests related to BuddyTask to detect unusual access patterns or unauthorized modifications. 3. Use Web Application Firewalls (WAFs) with custom rules to block or flag suspicious AJAX requests targeting BuddyTask endpoints. 4. Until an official patch is released, consider disabling the BuddyTask plugin if it is not critical to operations or replacing it with alternative task management solutions that enforce proper authorization. 5. Conduct regular audits of BuddyPress group memberships and task board contents to identify unauthorized changes. 6. Educate users about phishing and credential security to reduce the risk of account compromise. 7. Upon availability, promptly apply vendor patches or updates addressing this vulnerability. 8. Review and harden WordPress security configurations, including limiting plugin installations and enforcing least privilege principles.