Description
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in taskbuilder Taskbuilder taskbuilder allows Reflected XSS.This issue affects Taskbuilder: from n/a through <= 4.0.9.
Published: 2026-01-08
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting
Action: Immediate Patch
AI Analysis

Impact

The affected software contains a reflected Cross‑Site Scripting vulnerability (CWE‑79) that allows an attacker to embed malicious scripts into the web page output of the Taskbuilder plugin. When a crafted request containing attacker‑supplied input is processed, the input is reflected directly in the browser without proper sanitization, permitting the execution of arbitrary JavaScript in the victim’s context.

Affected Systems

The vulnerability affects the WordPress Taskbuilder plugin for all versions through and including 4.0.9. Users running any of those releases are potentially exposed if the plugin is enabled.

Risk and Exploitability

The CVSS score of 7.1 and a very low EPSS (<1%) suggest that while the flaw is technically high, real‑world exploitation is unlikely. It is not listed in CISA’s KEV catalog. Because the flaw is reflected XSS, an attacker only needs to persuade a victim to visit a specially crafted URL or link; no authentication or elevated privileges are required, making the attack prone to phishing or link‑sharing vectors.

Generated by OpenCVE AI on April 28, 2026 at 18:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Taskbuilder plugin to the latest available version that resolves CVE‑2025‑67933.
  • If the plugin is not required, disable or remove it entirely to prevent exploitation.
  • Configure a strict content‑security‑policy on the web server that blocks inline scripts and restricts script sources, reducing the impact of any remaining reflected XSS flaws.

Generated by OpenCVE AI on April 28, 2026 at 18:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

 cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 09 Jan 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared Taskbuilder
Taskbuilder taskbuilder
Wordpress
Wordpress wordpress
Vendors & Products Taskbuilder
Taskbuilder taskbuilder
Wordpress
Wordpress wordpress

Thu, 08 Jan 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 08 Jan 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Thu, 08 Jan 2026 09:45:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in taskbuilder Taskbuilder taskbuilder allows Reflected XSS.This issue affects Taskbuilder: from n/a through <= 4.0.9.
Title WordPress Taskbuilder plugin <= 4.0.9 - Cross Site Scripting (XSS) vulnerability
Weaknesses CWE-79
References

Subscriptions

Taskbuilder Taskbuilder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:24.130Z

Reserved: 2025-12-15T09:59:55.700Z

Link: CVE-2025-67933

cve-icon Vulnrichment

Updated: 2026-01-08T14:53:50.327Z

cve-icon NVD

Status : Deferred

Published: 2026-01-08T10:15:52.393

Modified: 2026-04-27T18:16:50.480

Link: CVE-2025-67933

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T18:30:37Z

Weaknesses