Description
The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' and 'sort_by' parameters in all versions up to, and including, 5.0.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Published: 2026-02-18
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leading to unauthorized database access
Action: Patch Immediately
AI Analysis

Impact

The plugin contains a time‑based blind SQL injection vulnerability in the 'order' and 'sort_by' parameters used in the projects list page. The code fails to escape user input and does not use prepared statements, allowing an authenticated user with subscriber or higher privileges to inject arbitrary SQL into the existing query. This can result in the extraction or modification of sensitive data stored in the WordPress database. The vulnerability is identified as CWE‑89. Because the attack requires authentication, the scope is limited to users with subscriber-level access and above.

Affected Systems

All installations of the Taskbuilder – Project Management & Task Management plugin version 5.0.2 and earlier on any WordPress site are affected. The flaw resides in the admin/projects/projects_list.php file. Any WordPress website that has this plugin enabled and a user with subscriber or higher privileges is at risk.

Risk and Exploitability

The CVSS score of 6.5 reflects moderate severity, and the EPSS score of less than 1% indicates exploitation is currently unlikely. The vulnerability is not listed in CISA's KEV catalog. Because it is a blind, time‑based injection, an attacker would need to observe response delays to infer data, making the attack more complex but still feasible for a determined, authenticated attacker who can bypass role restrictions. The likelihood of exploitation is low, but the confidentiality impact is high if the attacker succeeds.

Generated by OpenCVE AI on April 15, 2026 at 20:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Taskbuilder plugin version where the SQL injection issue is resolved.
  • Limit WordPress subscribers and higher roles from accessing the project list page or remove permissions tied to the 'order' and 'sort_by' abilities.
  • Implement a Web Application Firewall rule to block suspicious SQL patterns in the 'order' and 'sort_by' query parameters.

Generated by OpenCVE AI on April 15, 2026 at 20:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Feb 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Taskbuilder
Taskbuilder taskbuilder – Wordpress Project Management & Task Management,kanban View
Wordpress
Wordpress wordpress
Vendors & Products Taskbuilder
Taskbuilder taskbuilder – Wordpress Project Management & Task Management,kanban View
Wordpress
Wordpress wordpress

Wed, 18 Feb 2026 06:00:00 +0000

Type Values Removed Values Added
Description The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' and 'sort_by' parameters in all versions up to, and including, 5.0.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Title Taskbuilder <= 5.0.2 - Authenticated (Subscriber+) SQL Injection via 'order' and 'sort_by' Parameters
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Taskbuilder Taskbuilder – Wordpress Project Management & Task Management,kanban View
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:44:01.859Z

Reserved: 2026-01-29T18:02:14.536Z

Link: CVE-2026-1639

cve-icon Vulnrichment

Updated: 2026-02-18T12:25:21.388Z

cve-icon NVD

Status : Deferred

Published: 2026-02-18T06:16:34.530

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1639

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-15T20:30:13Z

Weaknesses