BuddyTask WordPress Plugin Missing Authorization Vulnerability Allows Unauthorized Cross-Group Task Board Access and Manipulation

A vulnerability exists in the BuddyTask plugin for WordPress, all versions prior to and including 1.3.0. The issue stems from a missing capability check on several AJAX endpoints, which allows authenticated attackers with Subscriber-level access and above to unauthorized access and modification of data. Exploitation of this vulnerability enables these users to view, create, modify, and delete task boards associated with any BuddyPress group, including private and hidden groups they do not belong to.

Impact

Exploitation of this vulnerability could lead to unauthorized access to and manipulation of task boards across different BuddyPress groups, potentially allowing for unauthorized changes to task assignments and statuses.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access can send requests to the affected AJAX endpoints without the necessary authorization checks being enforced. This can be done by bypassing the standard WordPress nonce verification process, which is intended to prevent unauthorized actions.

Remediation

Users are advised to update the BuddyTask plugin to version 1.4.0 or later, where this vulnerability has been patched.