Description
The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'wppm_proj_filter' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. No nonce verification is performed on the wp_ajax_wppm_view_project_tasks handler, meaning any authenticated session — including subscriber-level — can reach the vulnerable code path without any additional preconditions.
Published: 2026-07-01
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The plugin contains a generic SQL injection flaw caused by the lack of proper escaping on the wppm_proj_filter parameter and the absence of nonce verification in the wp_ajax_wppm_view_project_tasks handler. The vulnerability allows any authenticated user with subscriber or higher privileges to append malicious SQL clauses to existing queries and extract confidential data from the WordPress database. The impact is a compromise of database confidentiality and the potential exposure of user or project data.

Affected Systems

The flaw exists in Taskbuilder – Project Management & Task Management Tool With Kanban Board, a WordPress plugin. Versions up to and including 5.0.8 are affected; no specific version sub‑range beyond this is mentioned, so all releases of the plugin before the 5.0.9 update are vulnerable.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity. No EPSS score is reported, so the exploitation probability cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an authenticated session – any user with subscriber, contributor, editor, author, or administrator rights can exercise the vulnerable code path without additional preconditions. Successful exploitation yields read access to the database, and potentially more, depending on the database schema and user privileges.

Generated by OpenCVE AI on July 1, 2026 at 12:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Taskbuilder version 5.0.9 or later, which removes the SQL injection flaw.
  • If an upgrade cannot be performed, uninstall the plugin or restrict subscriber-level accounts to prevent the vulnerable functionality from being reached.
  • Maintain a robust audit of user activity and database access logs to detect any attempts to exploit this weakness, and apply general WordPress security measures such as limiting active user accounts and using two‑factor authentication.

Generated by OpenCVE AI on July 1, 2026 at 12:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Jul 2026 11:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 01 Jul 2026 05:00:00 +0000

Type Values Removed Values Added
Description The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to generic SQL Injection via the 'wppm_proj_filter' parameter in all versions up to, and including, 5.0.8 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. No nonce verification is performed on the wp_ajax_wppm_view_project_tasks handler, meaning any authenticated session — including subscriber-level — can reach the vulnerable code path without any additional preconditions.
Title Taskbuilder <= 5.0.8 - Authenticated (Subscriber+) SQL Injection via 'wppm_proj_filter' Parameter
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-07-01T10:32:05.420Z

Reserved: 2026-06-12T14:02:31.132Z

Link: CVE-2026-12090

cve-icon Vulnrichment

Updated: 2026-07-01T10:30:52.223Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T13:00:15Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')