{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14064", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-04T20:57:24.683Z", "datePublished": "2025-12-12T03:20:39.570Z", "dateUpdated": "2026-04-08T16:35:22.365Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:35:22.365Z"}, "affected": [{"vendor": "cytechltd", "product": "BuddyTask", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.3.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view, create, modify, and delete task boards belonging to any BuddyPress group, including private and hidden groups they are not members of."}], "title": "BuddyTask <= 1.3.0 - Missing Authorization to Authenticated (Subscriber+) Cross-Group Task Board Access and Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0dfe0947-5790-49ba-aa3d-6bc61c12b355?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L458"}, {"url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L666"}, {"url": "https://cwe.mitre.org/data/definitions/862.html"}, {"url": "https://plugins.trac.wordpress.org/browser/buddytask/tags/1.3.0/buddytask.php#L458"}, {"url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L763"}, {"url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L840"}, {"url": "https://plugins.trac.wordpress.org/changeset/3416754/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "timeline": [{"time": "2025-12-11T14:24:56.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-15T18:08:31.831947Z", "id": "CVE-2025-14064", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:17:09.131Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14064", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-15T18:08:31.831947Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-15T18:08:34.569Z"}}], "cna": {"title": "BuddyTask <= 1.3.0 - Missing Authorization to Authenticated (Subscriber+) Cross-Group Task Board Access and Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "Itthidej Aramsri"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"}}], "affected": [{"vendor": "cytechltd", "product": "BuddyTask", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "1.3.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-11T14:24:56.000+00:00", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0dfe0947-5790-49ba-aa3d-6bc61c12b355?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L458"}, {"url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L666"}, {"url": "https://cwe.mitre.org/data/definitions/862.html"}, {"url": "https://plugins.trac.wordpress.org/browser/buddytask/tags/1.3.0/buddytask.php#L458"}, {"url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L763"}, {"url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L840"}, {"url": "https://plugins.trac.wordpress.org/changeset/3416754/"}], "descriptions": [{"lang": "en", "value": "The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view, create, modify, and delete task boards belonging to any BuddyPress group, including private and hidden groups they are not members of."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-12-12T03:20:39.570Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14064", "state": "PUBLISHED", "dateUpdated": "2025-12-15T18:17:09.131Z", "dateReserved": "2025-12-04T20:57:24.683Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-12T03:20:39.570Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view, create, modify, and delete task boards belonging to any BuddyPress group, including private and hidden groups they are not members of."}], "id": "CVE-2025-14064", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-12-12T04:15:47.053", "references": [{"source": "security@wordfence.com", "url": "https://cwe.mitre.org/data/definitions/862.html"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/buddytask/tags/1.3.0/buddytask.php#L458"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L458"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L666"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L763"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L840"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3416754/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0dfe0947-5790-49ba-aa3d-6bc61c12b355?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:18:05.742092+00:00", "value": {"mitigation_remediation": ["Update BuddyTask to a version where the missing capability check has been fixed, if an update is available.", "If an update cannot be applied immediately, modify the user role capabilities so that Subscriber users lack the permission to access BuddyTask AJAX endpoints\u2014this can be done with a role editor plugin or custom code.", "Disable or remove the BuddyTask plugin from the WordPress installation if the functionality is not required for the current operation.", "Monitor application logs for unusual activity involving task board creation or modification to detect potential abuse."], "summary": {"action": "Patch or Restrict", "impact": "Unauthorized Access and Modification of Task Boards"}, "threat_synthesis": {"affected_systems": "This issue affects installations of the BuddyTask plugin for WordPress up to and including version 1.3.0. There are no distinct vendor or product versions beyond the provided range; any instance of BuddyTask at or below this version is susceptible.", "description_and_impact": "The BuddyTask plugin for WordPress suffers from a missing capability check on multiple AJAX endpoints in all released versions through 1.3.0, a flaw identified as CWE\u2011862 (Missing Authorization). The flaw allows an authenticated user who holds a Subscriber role or higher to bypass access controls and perform actions against any task board tied to a BuddyPress group, regardless of group visibility. As a result, an attacker can view, create, modify, or delete task boards for any group, including private or hidden groups to which they do not belong.", "risk_and_exploitability": "The vulnerability has a CVSS score of 5.4, indicating a moderate impact. The EPSS score is less than 1\u202f%, suggesting a low probability of exploitation at this time, and the flaw is not listed in the CISA KEV catalog. However, an attacker only needs to be authenticated with a Subscriber account or higher, which is a very common role on WordPress sites, so the attack vector is likely local to the site\u2019s authentication system. Once authenticated, exploitation allows the attacker to compromise the integrity and confidentiality of task board data across all groups, potentially exposing sensitive group discussions and project tasks."}}}}, "created": "2025-12-12T08:48:23.554262+00:00", "updated": "2026-04-22T16:30:22.136641+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}