Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Taskbuilder - Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'project_search' parameter in all versions up to, and including, 5.0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
AnalysisAI
Time-based blind SQL injection in the Taskbuilder - Project Management & Task Management Tool With Kanban Board WordPress plugin (all versions through 5.0.6) enables authenticated attackers with Subscriber-level access or above to exfiltrate arbitrary data from the underlying database via the 'project_search' parameter. The vulnerability stems from unsanitized user input being passed into an unprepared SQL query, exposing confidential database contents including user credentials, configuration data, and application records. No public exploit code has been identified at time of analysis, EPSS probability is very low at 0.03%, and CISA has not added this to the Known Exploited Vulnerabilities catalog.
Technical ContextAI
CWE-89 (Improper Neutralization of Special Elements used in an SQL Command) describes this root cause: user-supplied input for the 'project_search' parameter is neither properly escaped nor passed through a parameterized prepared statement before being incorporated into SQL queries. The time-based blind technique means the attacker infers data character-by-character by measuring conditional database delays (e.g., via SLEEP() or BENCHMARK() functions in MySQL), making exploitation slower but effective without visible output in HTTP responses. The affected component is the Taskbuilder plugin for WordPress, identified by CPE cpe:2.3:a:taskbuilder:taskbuilder_-_project_management_&_task_management_tool_with_kanban_board:*:*:*:*:*:*:*:* across all versions up to and including 5.0.6, running on the WordPress PHP stack and its underlying MySQL/MariaDB database.
RemediationAI
A code-level fix has been committed to the WordPress plugin repository as changeset 3507782, visible at https://plugins.trac.wordpress.org/changeset/3507782/taskbuilder; however, a specific released patched version number is not independently confirmed from available data - site operators should update to the latest available version of the Taskbuilder plugin via the WordPress plugin dashboard and verify it reflects the post-5.0.6 codebase. If immediate upgrade is not feasible, a compensating control is to restrict WordPress account registration and audit existing Subscriber-level accounts to reduce the attacker surface for authenticated exploitation - removing unnecessary or unrecognized subscriber accounts directly eliminates the required authentication prerequisite. Additionally, a web application firewall (WAF) rule targeting time-delay SQL injection patterns (SLEEP, BENCHMARK, WAITFOR) on the project_search parameter can provide detection and partial blocking, though WAF bypass is possible and should not replace patching. Full details and vendor advisory are available via Wordfence at https://www.wordfence.com/threat-intel/vulnerabilities/id/561479ed-2402-4511-9344-d6b9e28f2f33?source=cve.
SQL Injection in the Taskbuilder Project Management & Task Management WordPress plugin (versions up to and including 5.0
SQL injection in the Taskbuilder Project Management plugin for WordPress (versions ≤5.0.8) enables any authenticated use
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30251
GHSA-3p2q-mr23-4xx4