Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Network-reachable AJAX endpoint, subscriber auth sufficient (PR:L), read-only injection yields high confidentiality loss with no integrity or availability impact.
Primary rating from Vendor (Wordfence).
CVSS VectorVendor: Wordfence
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionCVE.org
The Taskbuilder - Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'wppm_proj_filter' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. No nonce verification is performed on the wp_ajax_wppm_view_project_tasks handler, meaning any authenticated session - including subscriber-level - can reach the vulnerable code path without any additional preconditions.
AnalysisAI
SQL injection in the Taskbuilder Project Management plugin for WordPress (versions ≤5.0.8) enables any authenticated user-including those with only subscriber-level access-to exfiltrate sensitive data from the WordPress database. The vulnerability exists in the wppm_proj_filter parameter handled by wppm_view_project_tasks.php, which lacks both proper SQL escaping and prepared statement usage. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid WordPress authenticated session at subscriber level or higher-this is the minimum role WordPress assigns to any registered user. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately reflects the realistic threat profile: network-accessible, low complexity, low-privilege authentication threshold, no user interaction, and high confidentiality impact with no integrity or availability component. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on a WordPress site running Taskbuilder ≤5.0.8 (or uses a compromised low-privilege credential), then issues a crafted POST request to `wp-admin/admin-ajax.php` with `action=wppm_view_project_tasks` and a malicious `wppm_proj_filter` value containing a UNION-based or time-based SQL injection payload. Because no nonce is checked, the request is processed and the injected query executes against the WordPress database, returning contents such as user credentials, private post data, or plugin configuration. … |
| Remediation | The primary fix is to upgrade the Taskbuilder plugin to version 5.0.9 or later. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
SQL Injection in the Taskbuilder Project Management & Task Management WordPress plugin (versions up to and including 5.0
Time-based blind SQL injection in the Taskbuilder - Project Management & Task Management Tool With Kanban Board WordPres
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40898
GHSA-vm7h-7fwq-hq44