Description
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Taskbuilder WordPress plugin prior to version 5.0.8 fails to sanitise a URL parameter that is echoed into inline JavaScript on pages containing its shortcode. A crafted request can inject arbitrary script that executes in the browser context of any logged‑in user, enabling session hijacking, cookie theft, or further exploitation of the site.

Affected Systems

All installations of the Taskbuilder plugin that are running a version earlier than 5.0.8 are vulnerable. No additional vendor or product details are specified beyond the plugin name and the affected major release.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity vulnerability. The EPSS score is below 1 %, suggesting a low probability of exploitation at present, and the flaw is not currently listed in the CISA KEV catalog. The typical attack route involves a victim clicking a crafted link or visiting a specifically formed URL that contains malicious payloads; once the logged‑in user renders the page, the script executes. Because the flaw does not require elevated privileges, every authenticated user is at risk, and the impact is limited to the client side of the application.

Generated by OpenCVE AI on June 17, 2026 at 17:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Taskbuilder to version 5.0.8 or later to remove the XSS flaw.
  • Limit the use of the Taskbuilder shortcode to trusted user roles or remove it from public‐facing pages.
  • Implement output encoding or sanitisation for URL parameters in WordPress to block malicious script injection and enforce a strict Content Security Policy (CSP).

Generated by OpenCVE AI on June 17, 2026 at 17:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 17 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Taskbuilder
Taskbuilder taskbuilder
Wordpress
Wordpress wordpress
Vendors & Products Taskbuilder
Taskbuilder taskbuilder
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.
Title Taskbuilder < 5.0.8 - Reflected XSS via Shortcode
References

Subscriptions

Taskbuilder Taskbuilder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-17T10:45:44.908Z

Reserved: 2026-05-26T11:19:25.354Z

Link: CVE-2026-9570

cve-icon Vulnrichment

Updated: 2026-06-17T10:45:40.607Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T09:00:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')