A critical vulnerability has been identified in The LazyTasks WordPress plugin, allowing unauthenticated attackers to take over any user account, including those with administrative privileges. By exploiting a flaw in a REST API endpoint, an attacker can change a user's email address, initiate a password reset, and gain complete control of the account. This can lead to a full compromise of the affected WordPress website, posing a severe risk to data integrity, confidentiality, and availability.

The vulnerability exists within the /wp-json/lazytasks/api/v1/user/role/edit/ REST API endpoint. This endpoint is responsible for updating user details but fails to perform proper authentication or authorization checks to verify that the request is coming from a legitimate, privileged user. An unauthenticated remote attacker can send a specially crafted request to this endpoint to modify the details of an arbitrary user on the site by guessing or knowing their user ID or username. The primary attack vector involves changing the email address associated with an administrator account to one controlled by the attacker, who can then use the standard WordPress password reset function to take over the account.

This vulnerability is rated as critical severity with a CVSS score of 9.8, reflecting the ease of exploitation and the potential for catastrophic impact. Successful exploitation grants an attacker full administrative control over the WordPress site. This can lead to severe business consequences, including theft of sensitive customer or business data, website defacement, injection of malware to attack site visitors, complete service disruption, and significant reputational damage. The compromised website could also be used as a platform for launching further attacks against other systems.

Immediate Action: Immediately update The LazyTasks plugin to the latest patched version on all WordPress instances. After patching, review all user accounts, particularly those with administrative privileges, for any unauthorized changes to email addresses or user roles.

Proactive Monitoring: System administrators should actively monitor web server access logs for any POST requests to the vulnerable endpoint: /wp-json/lazytasks/api/v1/user/role/edit/. Pay close attention to requests originating from untrusted or unexpected IP addresses. Implement alerts for any changes made to high-privilege user accounts outside of normal administrative activity.

Compensating Controls: If immediate patching is not feasible, consider the following temporary measures:

• Use a Web Application Firewall (WAF) to create a rule that blocks all access to the vulnerable /wp-json/lazytasks/api/v1/user/role/edit/ path.
• Temporarily disable The LazyTasks plugin until it can be safely updated.
• Restrict access to the WordPress REST API at the web server level if it is not required for public-facing functionality.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the ability for an unauthenticated attacker to achieve a full site compromise, this vulnerability represents a significant and immediate threat. We strongly recommend that organizations identify all instances of The LazyTasks plugin and apply the vendor-supplied patch without delay. Although this CVE is not currently on the CISA KEV list, its severity makes it a prime candidate for future inclusion and a high-value target for attackers. Prioritize this patch above all other routine maintenance.