Impact
The plugin contains a generic SQL injection flaw caused by the lack of proper escaping on the wppm_proj_filter parameter and the absence of nonce verification in the wp_ajax_wppm_view_project_tasks handler. The vulnerability allows any authenticated user with subscriber or higher privileges to append malicious SQL clauses to existing queries and extract confidential data from the WordPress database. The impact is a compromise of database confidentiality and the potential exposure of user or project data.
Affected Systems
The flaw exists in Taskbuilder – Project Management & Task Management Tool With Kanban Board, a WordPress plugin. Versions up to and including 5.0.8 are affected; no specific version sub‑range beyond this is mentioned, so all releases of the plugin before the 5.0.9 update are vulnerable.
Risk and Exploitability
The CVSS score of 6.5 indicates a moderate severity. No EPSS score is reported, so the exploitation probability cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an authenticated session – any user with subscriber, contributor, editor, author, or administrator rights can exercise the vulnerable code path without additional preconditions. Successful exploitation yields read access to the database, and potentially more, depending on the database schema and user privileges.
OpenCVE Enrichment