Description
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.
Published: 2026-06-17
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The Taskbuilder WordPress plugin before version 5.0.8 does not properly sanitise a URL parameter that is echoed into inline JavaScript on pages containing its shortcode. This flaw allows an attacker to inject arbitrary script that executes in the browser context of any logged‑in user, potentially leading to session hijacking, cookie theft, or further exploitation. The vulnerability is a classic Reflected Cross‑Site Scripting, classified under CWE‑79. The attack requires the victim to visit a crafted URL, but the specific parameters or page context are not detailed in the official description; this is inferred from the plugin’s handling of URL parameters.

Affected Systems

All installations of the Taskbuilder plugin running a version earlier than 5.0.8 are vulnerable. No additional vendor or product details are specified beyond the plugin name and the affected major release. The plugin is a WordPress add‑on, so the vulnerability applies to any WordPress site that has Taskbuilder installed and has the shortcode enabled on publicly accessible pages.

Risk and Exploitability

The CVSS score of 7.1 indicates a high severity flaw. The EPSS score is under 1 %, implying a relatively low probability of exploitation at this time, and the issue is not listed in the CISA KEV catalog. The likely attack route involves a malicious link or crafted URL containing the vulnerable parameter; once a logged‑in user loads the page, the injected script runs in the user’s browser. Because the flaw does not require elevated privileges, every authenticated user is at risk, and the impact is limited to the client side of the application.

Generated by OpenCVE AI on June 18, 2026 at 14:14 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Taskbuilder to version 5.0.8 or later to remove the XSS flaw.
  • Limit the use of the Taskbuilder shortcode to trusted user roles or remove it from public‑facing pages.
  • Implement output encoding or sanitisation for URL parameters in WordPress to block malicious script injection and enforce a strict Content Security Policy (CSP).

Generated by OpenCVE AI on June 18, 2026 at 14:14 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-79
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 09:15:00 +0000

Type Values Removed Values Added
First Time appeared Taskbuilder
Taskbuilder taskbuilder
Wordpress
Wordpress wordpress
Vendors & Products Taskbuilder
Taskbuilder taskbuilder
Wordpress
Wordpress wordpress

Wed, 17 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Description The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.
Title Taskbuilder < 5.0.8 - Reflected XSS via Shortcode
References

Subscriptions

Taskbuilder Taskbuilder
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: WPScan

Published:

Updated: 2026-06-17T10:45:44.908Z

Reserved: 2026-05-26T11:19:25.354Z

Link: CVE-2026-9570

cve-icon Vulnrichment

Updated: 2026-06-17T10:45:40.607Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:15:06Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')