Skip to main content

Taskbuilder WordPress Plugin CVE-2026-6225

| EUVDEUVD-2026-30251 MEDIUM
SQL Injection (CWE-89)
2026-05-14 Wordfence GHSA-3p2q-mr23-4xx4
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 08, 2026 - 10:50 vuln.today
CVE Published
May 14, 2026 - 06:44 nvd
MEDIUM 6.5

DescriptionCVE.org

The Taskbuilder - Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'project_search' parameter in all versions up to, and including, 5.0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

AnalysisAI

Time-based blind SQL injection in the Taskbuilder - Project Management & Task Management Tool With Kanban Board WordPress plugin (all versions through 5.0.6) enables authenticated attackers with Subscriber-level access or above to exfiltrate arbitrary data from the underlying database via the 'project_search' parameter. The vulnerability stems from unsanitized user input being passed into an unprepared SQL query, exposing confidential database contents including user credentials, configuration data, and application records. No public exploit code has been identified at time of analysis, EPSS probability is very low at 0.03%, and CISA has not added this to the Known Exploited Vulnerabilities catalog.

Technical ContextAI

CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) describes this root cause: user-supplied input for the 'project_search' parameter is neither properly escaped nor passed through a parameterized prepared statement before being incorporated into SQL queries. The time-based blind technique means the attacker infers data character-by-character by measuring conditional database delays (e.g., via SLEEP() or BENCHMARK() functions in MySQL), making exploitation slower but effective without visible output in HTTP responses. The affected component is the Taskbuilder plugin for WordPress, identified by CPE cpe:2.3:a:taskbuilder:taskbuilder_-_project_management_&_task_management_tool_with_kanban_board:*:*:*:*:*:*:*:* across all versions up to and including 5.0.6, running on the WordPress PHP stack and its underlying MySQL/MariaDB database.

RemediationAI

A code-level fix has been committed to the WordPress plugin repository as changeset 3507782, visible at https://plugins.trac.wordpress.org/changeset/3507782/taskbuilder; however, a specific released patched version number is not independently confirmed from available data - site operators should update to the latest available version of the Taskbuilder plugin via the WordPress plugin dashboard and verify it reflects the post-5.0.6 codebase. If immediate upgrade is not feasible, a compensating control is to restrict WordPress account registration and audit existing Subscriber-level accounts to reduce the attacker surface for authenticated exploitation - removing unnecessary or unrecognized subscriber accounts directly eliminates the required authentication prerequisite. Additionally, a web application firewall (WAF) rule targeting time-delay SQL injection patterns (SLEEP, BENCHMARK, WAITFOR) on the project_search parameter can provide detection and partial blocking, though WAF bypass is possible and should not replace patching. Full details and vendor advisory are available via Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/561479ed-2402-4511-9344-d6b9e28f2f33?source=cve.

Share

CVE-2026-6225 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy