Skip to main content

Taskbuilder WordPress Plugin EUVDEUVD-2026-40898

| CVE-2026-12090 MEDIUM
SQL Injection (CWE-89)
2026-07-01 Wordfence GHSA-vm7h-7fwq-hq44
6.5
CVSS 3.1 · Vendor: Wordfence
Share

Severity by source

Vendor (Wordfence) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
6.5 MEDIUM

Network-reachable AJAX endpoint, subscriber auth sufficient (PR:L), read-only injection yields high confidentiality loss with no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (Wordfence).

CVSS VectorVendor: Wordfence

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jul 01, 2026 - 05:33 vuln.today
CVE Published
Jul 01, 2026 - 03:43 nvd
MEDIUM 6.5

DescriptionCVE.org

The Taskbuilder - Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'wppm_proj_filter' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. No nonce verification is performed on the wp_ajax_wppm_view_project_tasks handler, meaning any authenticated session - including subscriber-level - can reach the vulnerable code path without any additional preconditions.

AnalysisAI

SQL injection in the Taskbuilder Project Management plugin for WordPress (versions ≤5.0.8) enables any authenticated user-including those with only subscriber-level access-to exfiltrate sensitive data from the WordPress database. The vulnerability exists in the wppm_proj_filter parameter handled by wppm_view_project_tasks.php, which lacks both proper SQL escaping and prepared statement usage. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Register or obtain subscriber-level WordPress account
Delivery
POST to wp-admin/admin-ajax.php?action=wppm_view_project_tasks
Exploit
Inject SQL payload into wppm_proj_filter parameter
Execution
Bypass nonce check (absent)
Persist
Execute appended query against WordPress database
Impact
Exfiltrate sensitive data from database response

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid WordPress authenticated session at subscriber level or higher-this is the minimum role WordPress assigns to any registered user. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N) accurately reflects the realistic threat profile: network-accessible, low complexity, low-privilege authentication threshold, no user interaction, and high confidentiality impact with no integrity or availability component. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers a free subscriber account on a WordPress site running Taskbuilder ≤5.0.8 (or uses a compromised low-privilege credential), then issues a crafted POST request to `wp-admin/admin-ajax.php` with `action=wppm_view_project_tasks` and a malicious `wppm_proj_filter` value containing a UNION-based or time-based SQL injection payload. Because no nonce is checked, the request is processed and the injected query executes against the WordPress database, returning contents such as user credentials, private post data, or plugin configuration. …
Remediation The primary fix is to upgrade the Taskbuilder plugin to version 5.0.9 or later. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-40898 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy