Impact
The Taskbuilder WordPress plugin before version 5.0.8 does not properly sanitise a URL parameter that is echoed into inline JavaScript on pages containing its shortcode. This flaw allows an attacker to inject arbitrary script that executes in the browser context of any logged‑in user, potentially leading to session hijacking, cookie theft, or further exploitation. The vulnerability is a classic Reflected Cross‑Site Scripting, classified under CWE‑79. The attack requires the victim to visit a crafted URL, but the specific parameters or page context are not detailed in the official description; this is inferred from the plugin’s handling of URL parameters.
Affected Systems
All installations of the Taskbuilder plugin running a version earlier than 5.0.8 are vulnerable. No additional vendor or product details are specified beyond the plugin name and the affected major release. The plugin is a WordPress add‑on, so the vulnerability applies to any WordPress site that has Taskbuilder installed and has the shortcode enabled on publicly accessible pages.
Risk and Exploitability
The CVSS score of 7.1 indicates a high severity flaw. The EPSS score is under 1 %, implying a relatively low probability of exploitation at this time, and the issue is not listed in the CISA KEV catalog. The likely attack route involves a malicious link or crafted URL containing the vulnerable parameter; once a logged‑in user loads the page, the injected script runs in the user’s browser. Because the flaw does not require elevated privileges, every authenticated user is at risk, and the impact is limited to the client side of the application.
OpenCVE Enrichment