CVE-2025-14064 is a vulnerability classified under CWE-862 (Missing Authorization) found in the BuddyTask plugin for WordPress, developed by cytechltd. The issue affects all versions up to and including 1.3.0. The root cause is the absence of proper capability checks on multiple AJAX endpoints within the plugin. These endpoints handle operations related to task boards associated with BuddyPress groups. Due to this missing authorization, any authenticated user with at least Subscriber-level access can bypass intended access controls and perform unauthorized actions such as viewing, creating, modifying, and deleting task boards belonging to any BuddyPress group, including those marked as private or hidden, even if the user is not a member of those groups. The vulnerability impacts the confidentiality and integrity of group task data but does not affect availability. The CVSS v3.1 base score is 6.5, reflecting a medium severity level, with an attack vector of network (remote), low attack complexity, no privileges required beyond authentication, and no user interaction needed. The scope is unchanged as the vulnerability affects the same security domain. No public exploits have been reported yet, and no official patches are linked at the time of this report. The vulnerability was reserved on December 4, 2025, and published on December 12, 2025. The plugin is commonly used in WordPress environments that integrate BuddyPress for social group collaboration, making this vulnerability relevant for organizations relying on these tools for internal or community task management.

The primary impact of CVE-2025-14064 is unauthorized access and modification of task boards within BuddyPress groups managed by the BuddyTask plugin. Confidentiality is compromised as attackers can view sensitive task information from private and hidden groups they do not belong to. Integrity is affected since attackers can create, modify, or delete task boards, potentially disrupting workflows, corrupting data, or causing misinformation. Availability is not directly impacted as the vulnerability does not enable denial-of-service conditions. For organizations, this could lead to data leakage of sensitive project or group information, unauthorized manipulation of task assignments, and loss of trust in collaboration platforms. Attackers with minimal privileges (Subscriber-level) can exploit this, increasing the risk from insider threats or compromised low-privilege accounts. The vulnerability could be leveraged for espionage, sabotage, or to gain further foothold within an organization’s WordPress environment. Since BuddyTask is a plugin used in community and enterprise collaboration contexts, the impact extends to any organization using BuddyPress for group management, including educational institutions, businesses, and online communities worldwide.

Until an official patch is released, organizations should implement the following mitigations: 1) Restrict BuddyTask plugin usage to trusted users only, minimizing Subscriber-level accounts or enforcing stricter user role policies. 2) Employ Web Application Firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting BuddyTask endpoints. 3) Conduct manual code reviews or apply temporary code patches to add capability checks on AJAX handlers, ensuring only authorized users can access or modify task boards. 4) Monitor logs for unusual activity related to BuddyTask AJAX endpoints, such as access attempts from unexpected users or IP addresses. 5) Educate users about the risk of compromised low-privilege accounts and enforce strong authentication mechanisms, including multi-factor authentication (MFA). 6) Once available, promptly update the BuddyTask plugin to a version that includes the authorization fix. 7) Consider isolating or disabling BuddyTask functionality if it is not critical to operations until a secure version is deployed. These steps go beyond generic advice by focusing on access control enforcement, monitoring, and temporary protective measures specific to the vulnerability's nature.