Taskbuilder
Monthly
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.
SQL injection in the Taskbuilder WordPress plugin versions 5.0.7 and earlier allows authenticated Subscriber-level users to inject malicious SQL into backend database queries, enabling exposure of sensitive data including credential hashes and limited integrity/availability impact on the underlying WordPress site. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 8.5 driven by a scope change to the database tier; there is no public exploit identified at time of analysis and the issue is not on CISA KEV.
The Taskbuilder WordPress plugin before 3.0.9 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Taskbuilder - WordPress Project & Task Management plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wppm_tasks shortcode in all versions up to, and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.
SQL injection in the Taskbuilder WordPress plugin versions 5.0.7 and earlier allows authenticated Subscriber-level users to inject malicious SQL into backend database queries, enabling exposure of sensitive data including credential hashes and limited integrity/availability impact on the underlying WordPress site. The flaw was disclosed by Patchstack and carries a CVSS 3.1 score of 8.5 driven by a scope change to the database tier; there is no public exploit identified at time of analysis and the issue is not on CISA KEV.
The Taskbuilder WordPress plugin before 3.0.9 does not sanitize and escape a parameter before using it in a SQL statement, allowing admins to perform SQL injection attacks. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.
The Taskbuilder - WordPress Project & Task Management plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's wppm_tasks shortcode in all versions up to, and. Rated medium severity (CVSS 6.4), this vulnerability is remotely exploitable, low attack complexity. This Cross-Site Scripting (XSS) vulnerability could allow attackers to inject malicious scripts into web pages viewed by other users.