Impact
The Taskbuilder plugin for WordPress contains a SQL injection flaw that can be triggered by a subscriber. The weakness allows an attacker to insert malicious SQL statements into the database, potentially exposing sensitive data or modifying records. This vulnerability is classified as CWE-89 and can damage the integrity and confidentiality of site data.
Affected Systems
Any WordPress installation running the Taskbuilder plugin version 5.0.7 or earlier is affected. Older releases that have not been updated to 5.0.8 or later remain vulnerable.
Risk and Exploitability
The CVSS base score of 8.5 indicates a high severity of the flaw. An EPSS score of less than 1% shows that exploitation attempts are currently rare, and the issue is not listed in the CISA KEV catalog. The attack likely requires an authenticated subscriber account to supply crafted input, although a publicly accessible form could also be used if the plugin does not enforce strict input validation.
OpenCVE Enrichment