SQL Injection Vulnerability in Taskbuilder Project Management Tool by WordPress
CVE-2026-12090
6.5MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 1 July 2026
What is CVE-2026-12090?
The Taskbuilder plugin for WordPress exhibits a vulnerability due to inadequate escaping of user-supplied parameters, specifically in the 'wppm_proj_filter' parameter. This flaw allows authenticated users, with as little as subscriber-level access, to inject extra SQL queries into existing ones. Such an attack can lead to unauthorized data extraction from the database. Furthermore, the absence of nonce verification on the wp_ajax_wppm_view_project_tasks handler makes it possible for any authenticated session to exploit this vulnerability without additional checks.
Affected Version(s)
Taskbuilder β Project Management & Task Management Tool With Kanban Board 0 <= 5.0.8