CVE-2025-68869

Critical

Published: 22 January 2026

Published

22 January 2026

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0006 19.2th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-68869 is a critical-severity Incorrect Privilege Assignment (CWE-266) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 19.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-2 (Account Management) and AC-6 (Least Privilege).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates the privilege escalation vulnerability by requiring timely remediation through patching the affected LazyTasks plugin versions up to 1.2.37.

AC-6 Least Privilege good match

prevent

Enforces the principle of least privilege to limit the impact and success of unauthorized privilege escalation attempts via the plugin flaw.

AC-2 Account Management good match

prevent

Ensures proper management and assignment of account privileges, countering incorrect privilege assignment in the LazyTasks plugin.

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation

Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Direct privilege escalation exploit in unauthenticated public-facing WordPress plugin.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Incorrect Privilege Assignment vulnerability in LazyCoders LLC LazyTasks lazytasks-project-task-management allows Privilege Escalation.This issue affects LazyTasks: from n/a through <= 1.2.37.

Deeper analysisAI

CVE-2025-68869 is an Incorrect Privilege Assignment vulnerability (CWE-266) in the LazyTasks WordPress plugin (lazytasks-project-task-management) developed by LazyCoders LLC. This flaw enables privilege escalation and affects all versions of the plugin from its initial release through 1.2.37.

The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical. Unauthenticated attackers can exploit it over the network with low attack complexity and no user interaction, achieving high impacts on confidentiality, integrity, and availability via privilege escalation.

Mitigation details are available in the Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/lazytasks-project-task-management/vulnerability/wordpress-lazytasks-plugin-1-2-37-privilege-escalation-vulnerability?_s_id=cve.

Details

CWE(s): CWE-266

CVEs Like This One

CVE-2026-32520Shared CWE-266

CVE-2025-44655Shared CWE-266

CVE-2026-27051Shared CWE-266

CVE-2026-23800Shared CWE-266

CVE-2026-32519Shared CWE-266

CVE-2026-32488Shared CWE-266

CVE-2026-32916Shared CWE-266

CVE-2024-56000Shared CWE-266

CVE-2026-23550Shared CWE-266

CVE-2026-24968Shared CWE-266

References

https://patchstack.com/database/Wordpress/Plugin/lazytasks-project-task-management/vulnerability/wordpress-lazytasks-plugin-1-2-37-privilege-escalation-vulnerability?_s_id=cve
audit@patchstack.com