Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.3
Taskbuilder Plugin Allows Attackers to Bypass Access Controls
CVE-2026-1640
Summary
The Taskbuilder plugin for WordPress has a security flaw that lets someone with a subscriber-level account or higher create comments on any project or task, even if they shouldn't be able to access it. This could allow attackers to inject malicious code into comments. Update to the latest version of the plugin to fix this issue.
Original title
The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.0.2. This is due to missing autho...
Original description
The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.0.2. This is due to missing authorization checks on the project and task comment submission functions (AJAX actions: wppm_submit_proj_comment and wppm_submit_task_comment). This makes it possible for authenticated attackers, with subscriber-level access and above, to create comments on any project or task (including private projects they cannot view or are not assigned to), and inject arbitrary HTML and CSS via the insufficiently sanitized comment_body parameter.
nvd CVSS3.1
4.3
Vulnerability type
CWE-862
Missing Authorization
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026