Skip to main content

Taskbuilder Project Management Task Management Tool With Kanban Board

3 CVEs product

Monthly

CVE-2026-12090 MEDIUM This Month

SQL injection in the Taskbuilder Project Management plugin for WordPress (versions ≤5.0.8) enables any authenticated user-including those with only subscriber-level access-to exfiltrate sensitive data from the WordPress database. The vulnerability exists in the `wppm_proj_filter` parameter handled by `wppm_view_project_tasks.php`, which lacks both proper SQL escaping and prepared statement usage. Compounding the risk, the `wp_ajax_wppm_view_project_tasks` AJAX handler performs no nonce verification, meaning the vulnerable code path is reachable by any authenticated WordPress session without additional preconditions. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

WordPress SQLi Taskbuilder Project Management Task Management Tool With Kanban Board
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-12110 MEDIUM This Month

SQL Injection in the Taskbuilder Project Management & Task Management WordPress plugin (versions up to and including 5.0.8) allows any authenticated WordPress user with Subscriber-level access or higher to exfiltrate arbitrary data from the site's database. The root cause is dual: insufficient escaping of the 'task_search' parameter in the wppm_get_task_list AJAX handler combined with a complete absence of capability checks and nonce verification on that handler, meaning the attack surface is broader than typical subscriber-exploitable SQLi. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; however, the low privilege bar and straightforward injection vector make this a credible threat against any WordPress site running the affected plugin.

WordPress SQLi Taskbuilder Project Management Task Management Tool With Kanban Board
NVD VulDB
CVSS 3.1
6.5
EPSS
0.3%
CVE-2026-6225 MEDIUM This Month

Time-based blind SQL injection in the Taskbuilder - Project Management & Task Management Tool With Kanban Board WordPress plugin (all versions through 5.0.6) enables authenticated attackers with Subscriber-level access or above to exfiltrate arbitrary data from the underlying database via the 'project_search' parameter. The vulnerability stems from unsanitized user input being passed into an unprepared SQL query, exposing confidential database contents including user credentials, configuration data, and application records. No public exploit code has been identified at time of analysis, EPSS probability is very low at 0.03%, and CISA has not added this to the Known Exploited Vulnerabilities catalog.

SQLi WordPress Taskbuilder Project Management Task Management Tool With Kanban Board
NVD
CVSS 3.1
6.5
EPSS
0.0%
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL injection in the Taskbuilder Project Management plugin for WordPress (versions ≤5.0.8) enables any authenticated user-including those with only subscriber-level access-to exfiltrate sensitive data from the WordPress database. The vulnerability exists in the `wppm_proj_filter` parameter handled by `wppm_view_project_tasks.php`, which lacks both proper SQL escaping and prepared statement usage. Compounding the risk, the `wp_ajax_wppm_view_project_tasks` AJAX handler performs no nonce verification, meaning the vulnerable code path is reachable by any authenticated WordPress session without additional preconditions. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

WordPress SQLi Taskbuilder Project Management Task Management Tool With Kanban Board
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

SQL Injection in the Taskbuilder Project Management & Task Management WordPress plugin (versions up to and including 5.0.8) allows any authenticated WordPress user with Subscriber-level access or higher to exfiltrate arbitrary data from the site's database. The root cause is dual: insufficient escaping of the 'task_search' parameter in the wppm_get_task_list AJAX handler combined with a complete absence of capability checks and nonce verification on that handler, meaning the attack surface is broader than typical subscriber-exploitable SQLi. No public exploit or active exploitation (CISA KEV) has been identified at time of analysis; however, the low privilege bar and straightforward injection vector make this a credible threat against any WordPress site running the affected plugin.

WordPress SQLi Taskbuilder Project Management Task Management Tool With Kanban Board
NVD VulDB
EPSS 0% CVSS 6.5
MEDIUM This Month

Time-based blind SQL injection in the Taskbuilder - Project Management & Task Management Tool With Kanban Board WordPress plugin (all versions through 5.0.6) enables authenticated attackers with Subscriber-level access or above to exfiltrate arbitrary data from the underlying database via the 'project_search' parameter. The vulnerability stems from unsanitized user input being passed into an unprepared SQL query, exposing confidential database contents including user credentials, configuration data, and application records. No public exploit code has been identified at time of analysis, EPSS probability is very low at 0.03%, and CISA has not added this to the Known Exploited Vulnerabilities catalog.

SQLi WordPress Taskbuilder Project Management Task Management Tool With Kanban Board
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy