Overview

WordPress is vulnerable to critical vulnerabilities. Exploitation of these vulnerabilities may allow an unauthenticated attacker to gain administrative access to the affected system.

Description

WordPress plugins lazytasks, gf-multi-uploader, wp-cardealer, and eltdf-membership are affected by the vulnerabilities tracked as CVE-2025-12963, CVE-2025-14344, CVE-2025-13764, and CVE-2025-13613 with CVSS scores of 9.8 each. The plugins are vulnerable due to improper validation of user's identity via the 'wp-json/lazytasks/api/v1/user/role/edit/' REST API endpoint prior to updating their details like email address, insufficient file path validation in the 'plupload_ajax_delete_file' function, 'WP_CarDealer_User::process_register' function not restricting what user roles a user can register with, and improperly logging in a user with the data that was previously verified through the 'eltdf_membership_check_facebook_user' and the 'eltdf_membership_login_user_from_social_network' function. Successful exploitation of this vulnerability allows unauthenticated attackers to change arbitrary user's email addresses, delete arbitrary files on the server, gain administrator access to the site, and access to the administrative user's email.

Impact

Successful exploitation of these vulnerabilities may allow an attacker to gain access to the affected system.

Solution

WordPress has released security patches for these vulnerabilities. Users and administrators are encouraged to apply necessary updates.

References

• 1. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/lazytasks-project-task-management/lazytasks-project-task-management-with-collaboration-kanban-and-gantt-chart-1229-missing-authorization-to-uanuthenticated-privilege-escalation
• 2. https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/gf-multi-uploader/multi-uploader-for-gravity-forms-117-unauthenticated-arbitrary-file-deletion