CVE-2025-14064

The BuddyTask plugin for WordPress contains a Missing Authorization vulnerability across multiple AJAX endpoints. This is a class-level weakness (CWE-862) where the software does not perform an authorization check when an actor attempts to access a resource or perform an action [1]. In versions up to and including 1.3.0, the plugin fails to verify that the user has the necessary capabilities before handling AJAX requests for task board operations.

An authenticated attacker with Subscriber-level access or above can exploit these endpoints. The vulnerability allows the attacker to interact with task boards belonging to any BuddyPress group, including private and hidden groups that the attacker is not a member of. No additional privileges or special network access are required beyond having a valid account on the WordPress site.

Successful exploitation enables the attacker to view, create, modify, and delete task boards associated with any group on the site. This compromises the integrity and confidentiality of task management data, potentially exposing sensitive information contained in private or hidden group boards.

As of the publication date, the vendor has not released a patched version, and users are advised to update when available or restrict access to the plugin until a fix is deployed.