Skip to main content

Taskbuilder WordPress Plugin CVE-2026-12110

| EUVDEUVD-2026-40894 MEDIUM
SQL Injection (CWE-89)
2026-07-01 Wordfence GHSA-9gpp-96v9-98wp
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable AJAX endpoint (AV:N), trivially exploitable (AC:L), requires only Subscriber authentication (PR:L), yields full database read (C:H) with no write or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:32 vuln.today
CVE Published
Jul 01, 2026 - 03:43 nvd
MEDIUM 6.5

DescriptionCVE.org

The Taskbuilder - Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'task_search' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The wppm_get_task_list AJAX handler performs no capability check and no nonce verification, meaning any authenticated user including those with Subscriber-level access can invoke it directly.

AnalysisAI

SQL Injection in the Taskbuilder Project Management & Task Management WordPress plugin (versions up to and including 5.0.8) allows any authenticated WordPress user with Subscriber-level access or higher to exfiltrate arbitrary data from the site's database. The root cause is dual: insufficient escaping of the 'task_search' parameter in the wppm_get_task_list AJAX handler combined with a complete absence of capability checks and nonce verification on that handler, meaning the attack surface is broader than typical subscriber-exploitable SQLi. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain WordPress Subscriber account
Delivery
Send authenticated POST to wp-admin/admin-ajax.php with action=wppm_get_task_list
Exploit
Inject UNION SELECT payload into task_search parameter
Execution
Bypass absent capability check and nonce verification
Impact
Extract WordPress database contents including user credentials

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress user account at Subscriber role or higher on the target site - this is the minimum authenticated session needed to trigger the wp_ajax_ hook. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD/Wordfence CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately reflects the risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free Subscriber account on a target WordPress site running Taskbuilder 5.0.8 or earlier (or obtains any valid credential through phishing or credential stuffing), then sends a crafted authenticated POST request to wp-admin/admin-ajax.php with action=wppm_get_task_list and a SQL-injected task_search value such as a UNION SELECT payload. Because the AJAX handler performs no capability check and no nonce validation, the injected query executes in the database context, returning WordPress user table contents - including password hashes, emails, and session tokens - in the AJAX response. …
Remediation Upgrade the Taskbuilder plugin to version 5.0.9 or later, which addresses the SQL injection by applying proper parameter preparation in wppm_tasks_list.php (changeset 3576941). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-12110 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy