Reflected Cross-Site Scripting Vulnerability in Taskbuilder Plugin for WordPress
CVE-2026-9570

Currently unrated

Key Information:

Vendor: WordPress
Status: Taskbuilder
Vendor: CVE Published:; 17 June 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-9570?

The Taskbuilder plugin for WordPress, versions prior to 5.0.8, is susceptible to a Reflected Cross-Site Scripting vulnerability due to improper sanitization of a URL parameter. This flaw allows an attacker to inject malicious JavaScript code into a frontend page that utilizes one of the plugin's shortcodes. When this page is accessed by a logged-in user, the injected script is executed in the context of their session, potentially compromising their security and privacy.

Affected Version(s)

Taskbuilder 0 < 5.0.8

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-9570 - Proof of Concept

References

https://wpscan.com/vulnerability/e9abd7eb-39f1-49d7-a70e-...

exploitvdb-entrytechnical-description

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 17, 2026
👾
Exploit known to exist
Jun 17, 2026
Vulnerability published
Jun 17, 2026
Vulnerability Reserved
May 26, 2026

Credit

Luca Jungnickel

WPScan

CVE-2026-9570 Data

JSON