CVE-2025-12963

Name of the Vulnerable Software and Affected Versions LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress versions prior to 1.2.30

Description The LazyTasks plugin for WordPress does not properly validate a user's identity before allowing updates to user details. This allows unauthenticated attackers to modify arbitrary user email addresses, including those of administrators, through the /wp-json/lazytasks/api/v1/user/role/edit/ API endpoint. By changing the email address, attackers can reset the user's password and gain access to their account. Attackers can also abuse this endpoint to grant users additional roles within the plugin.

Recommendations Update the LazyTasks plugin to version 1.2.30 or later.