Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-reachable AJAX endpoint (AV:N), trivially exploitable (AC:L), requires only Subscriber authentication (PR:L), yields full database read (C:H) with no write or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Taskbuilder - Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'task_search' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. The wppm_get_task_list AJAX handler performs no capability check and no nonce verification, meaning any authenticated user including those with Subscriber-level access can invoke it directly.
AnalysisAI
SQL Injection in the Taskbuilder Project Management & Task Management WordPress plugin (versions up to and including 5.0.8) allows any authenticated WordPress user with Subscriber-level access or higher to exfiltrate arbitrary data from the site's database. The root cause is dual: insufficient escaping of the 'task_search' parameter in the wppm_get_task_list AJAX handler combined with a complete absence of capability checks and nonce verification on that handler, meaning the attack surface is broader than typical subscriber-exploitable SQLi. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress user account at Subscriber role or higher on the target site - this is the minimum authenticated session needed to trigger the wp_ajax_ hook. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD/Wordfence CVSS 3.1 score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately reflects the risk profile. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free Subscriber account on a target WordPress site running Taskbuilder 5.0.8 or earlier (or obtains any valid credential through phishing or credential stuffing), then sends a crafted authenticated POST request to wp-admin/admin-ajax.php with action=wppm_get_task_list and a SQL-injected task_search value such as a UNION SELECT payload. Because the AJAX handler performs no capability check and no nonce validation, the injected query executes in the database context, returning WordPress user table contents - including password hashes, emails, and session tokens - in the AJAX response. … |
| Remediation | Upgrade the Taskbuilder plugin to version 5.0.9 or later, which addresses the SQL injection by applying proper parameter preparation in wppm_tasks_list.php (changeset 3576941). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL injection in the Taskbuilder Project Management plugin for WordPress (versions ≤5.0.8) enables any authenticated use
Time-based blind SQL injection in the Taskbuilder - Project Management & Task Management Tool With Kanban Board WordPres
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40894
GHSA-9gpp-96v9-98wp