Attack Vectors

LazyTasks – Project & Task Management with Collaboration, Kanban and Gantt Chart (slug: lazytasks-project-task-management) has a Critical vulnerability (CVSS 9.8) that can be exploited remotely over the internet without any user login. In practical terms, an attacker can target any WordPress site running LazyTasks versions 1.2.37 and below by sending crafted requests directly to the website.

Because no credentials are required (CVE-2025-68869, CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), this exposure is especially risky for public-facing sites (marketing sites, campaign landing pages, and corporate sites) where WordPress is reachable from the open web.

Security Weakness

The issue is an Unauthenticated Privilege Escalation weakness in LazyTasks affecting all versions up to and including 1.2.37. It can allow an attacker with no account to elevate privileges to administrator, effectively granting full control of the WordPress site.

This type of flaw is particularly dangerous because it bypasses normal access controls. Once an attacker can become an administrator, they can change site settings, add new admin users, and manipulate content and plugins—without needing to crack passwords or phish employees.

Remediation: Update LazyTasks to version 1.3.01 or a newer patched version. Reference: Wordfence advisory.

Technical or Business Impacts

Full site takeover risk: With administrator access, attackers can create hidden admin accounts, modify themes and plugins, or introduce malicious code that persists even after a password reset.

Brand and revenue impact: Compromised sites can be used to deface pages, redirect visitors to fraudulent destinations, or inject spam and unwanted ads—damaging campaign performance, SEO rankings, and customer trust.

Data and compliance exposure: Depending on what your site stores (customer inquiries, employee accounts, analytics integrations, or other personal data), an administrator-level compromise can lead to unauthorized access and potential reporting obligations for Compliance, Legal, and executive leadership.

Operational disruption: Attackers can lock out legitimate administrators, break site functionality, or force downtime during incident response—impacting marketing launches, lead capture, and business continuity.

Similar Attacks

Unauthenticated or low-friction paths to administrative control have been leveraged in other WordPress incidents, including:

WooCommerce Payments authentication bypass (Wordfence write-up)
Ultimate Member privilege escalation (Wordfence write-up)