SQL Injection Vulnerability in Taskbuilder Project Management Tool by WordPress
CVE-2026-12090

6.5MEDIUM

What is CVE-2026-12090?

The Taskbuilder plugin for WordPress exhibits a vulnerability due to inadequate escaping of user-supplied parameters, specifically in the 'wppm_proj_filter' parameter. This flaw allows authenticated users, with as little as subscriber-level access, to inject extra SQL queries into existing ones. Such an attack can lead to unauthorized data extraction from the database. Furthermore, the absence of nonce verification on the wp_ajax_wppm_view_project_tasks handler makes it possible for any authenticated session to exploit this vulnerability without additional checks.

Affected Version(s)

Taskbuilder – Project Management & Task Management Tool With Kanban Board 0 <= 5.0.8

References

CVSS V3.1

Score:
6.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Catalin Oancea (0x4D5A)
.