CVE-2025-12963
Published: 12 December 2025
Summary
CVE-2025-12963 is a critical-severity Missing Authorization (CWE-862) vulnerability in Wordpress (inferred from references). Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 38.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on the vulnerable REST API endpoint to prevent unauthenticated privilege escalation via unauthorized user email and role updates.
Requires timely identification, reporting, and patching of the specific authorization flaw in the LazyTasks WordPress plugin to eliminate the vulnerability.
Manages account identifiers, attributes like email addresses, and plugin role memberships with identity validation to mitigate unauthorized modifications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability allows unauthenticated exploitation of a public-facing WordPress REST API endpoint (T1190) to manipulate user accounts by changing emails/roles for account takeover and privilege escalation (T1068, T1098).
NVD Description
The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. This is due to the plugin not properly…
more
validating a user's identity via the 'wp-json/lazytasks/api/v1/user/role/edit/' REST API endpoint prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. It is also possible for attackers to abuse this endpoint to grant users with access to additional roles within the plugin
Deeper analysisAI
CVE-2025-12963 is a critical privilege escalation vulnerability affecting the LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress, in all versions up to and including 1.2.29. The issue stems from the plugin's failure to properly validate a user's identity via the 'wp-json/lazytasks/api/v1/user/role/edit/' REST API endpoint before updating user details, such as email addresses. This flaw, classified under CWE-862 (Missing Authorization), has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-12-12.
Unauthenticated attackers can exploit this vulnerability remotely with low complexity and no privileges required. By abusing the vulnerable endpoint, they can arbitrarily change any user's email address, including those of administrators, and then leverage standard WordPress password reset functionality to take over the account. Additionally, attackers can grant targeted users access to additional roles within the plugin, potentially escalating their own privileges or those of other accounts.
Mitigation details are available in related advisories, including the Wordfence threat intelligence report at https://www.wordfence.com/threat-intel/vulnerabilities/id/c6998185-0f9b-48ab-9dca-05adf5ae603a?source=cve and the plugin's WordPress.org page at https://wordpress.org/plugins/lazytasks-project-task-management/. Security practitioners should review these sources for patch availability, update recommendations, and workaround guidance.
Details
- CWE(s)