Description
Subscriber SQL Injection in Taskbuilder <= 5.0.7 versions.
Published: 2026-06-15
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Taskbuilder plugin for WordPress contains a SQL injection flaw that can be triggered by a subscriber. The weakness allows an attacker to insert malicious SQL statements into the database, potentially exposing sensitive data or modifying records. This vulnerability is classified as CWE-89 and can damage the integrity and confidentiality of site data.

Affected Systems

Any WordPress installation running the Taskbuilder plugin version 5.0.7 or earlier is affected. Older releases that have not been updated to 5.0.8 or later remain vulnerable.

Risk and Exploitability

The CVSS base score of 8.5 indicates a high severity of the flaw. An EPSS score of less than 1% shows that exploitation attempts are currently rare, and the issue is not listed in the CISA KEV catalog. The attack likely requires an authenticated subscriber account to supply crafted input, although a publicly accessible form could also be used if the plugin does not enforce strict input validation.

Generated by OpenCVE AI on June 18, 2026 at 00:21 UTC.

Remediation

Vendor Solution

Update the WordPress Taskbuilder Plugin to the latest available version (at least 5.0.8).


OpenCVE Recommended Actions

  • Apply the official update to Taskbuilder version 5.0.8 or newer.
  • If the plugin must remain functional, block subscriber users from creating new tasks until the security fix is deployed.
  • Audit any custom code that interacts with Taskbuilder’s database functions and ensure it uses prepared statements or proper input sanitization.

Generated by OpenCVE AI on June 18, 2026 at 00:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 16 Jun 2026 07:00:00 +0000

Type Values Removed Values Added
First Time appeared Taskbuilder
Taskbuilder taskbuilder
Wordpress
Wordpress wordpress
Vendors & Products Taskbuilder
Taskbuilder taskbuilder
Wordpress
Wordpress wordpress

Tue, 16 Jun 2026 06:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Description Subscriber SQL Injection in Taskbuilder <= 5.0.7 versions.
Title WordPress Taskbuilder plugin <= 5.0.7 - SQL Injection vulnerability
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}


Subscriptions

Taskbuilder Taskbuilder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-06-16T01:16:26.119Z

Reserved: 2026-06-08T10:11:03.696Z

Link: CVE-2026-52697

cve-icon Vulnrichment

Updated: 2026-06-16T01:16:20.747Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T21:17:24.377

Modified: 2026-06-15T21:24:32.790

Link: CVE-2026-52697

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T00:30:14Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')