Description
The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view, create, modify, and delete task boards belonging to any BuddyPress group, including private and hidden groups they are not members of.
Published: 2025-12-12
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access and Modification of Task Boards
Action: Patch or Restrict
AI Analysis

Impact

The BuddyTask plugin for WordPress suffers from a missing capability check on multiple AJAX endpoints in all released versions through 1.3.0, a flaw identified as CWE‑862 (Missing Authorization). The flaw allows an authenticated user who holds a Subscriber role or higher to bypass access controls and perform actions against any task board tied to a BuddyPress group, regardless of group visibility. As a result, an attacker can view, create, modify, or delete task boards for any group, including private or hidden groups to which they do not belong.

Affected Systems

This issue affects installations of the BuddyTask plugin for WordPress up to and including version 1.3.0. There are no distinct vendor or product versions beyond the provided range; any instance of BuddyTask at or below this version is susceptible.

Risk and Exploitability

The vulnerability has a CVSS score of 5.4, indicating a moderate impact. The EPSS score is less than 1 %, suggesting a low probability of exploitation at this time, and the flaw is not listed in the CISA KEV catalog. However, an attacker only needs to be authenticated with a Subscriber account or higher, which is a very common role on WordPress sites, so the attack vector is likely local to the site’s authentication system. Once authenticated, exploitation allows the attacker to compromise the integrity and confidentiality of task board data across all groups, potentially exposing sensitive group discussions and project tasks.

Generated by OpenCVE AI on April 22, 2026 at 16:18 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update BuddyTask to a version where the missing capability check has been fixed, if an update is available.
  • If an update cannot be applied immediately, modify the user role capabilities so that Subscriber users lack the permission to access BuddyTask AJAX endpoints—this can be done with a role editor plugin or custom code.
  • Disable or remove the BuddyTask plugin from the WordPress installation if the functionality is not required for the current operation.
  • Monitor application logs for unusual activity involving task board creation or modification to detect potential abuse.

Generated by OpenCVE AI on April 22, 2026 at 16:18 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 08 Apr 2026 17:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

 cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Mon, 15 Dec 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Dec 2025 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Fri, 12 Dec 2025 03:45:00 +0000

Type Values Removed Values Added
Description The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view, create, modify, and delete task boards belonging to any BuddyPress group, including private and hidden groups they are not members of.
Title BuddyTask <= 1.3.0 - Missing Authorization to Authenticated (Subscriber+) Cross-Group Task Board Access and Manipulation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:35:22.365Z

Reserved: 2025-12-04T20:57:24.683Z

Link: CVE-2025-14064

cve-icon Vulnrichment

Updated: 2025-12-15T18:08:34.569Z

cve-icon NVD

Status : Deferred

Published: 2025-12-12T04:15:47.053

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14064

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:30:22Z

Weaknesses