Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.5
Taskbuilder Plugin for WordPress Lets Attackers Steal Sensitive Data
CVE-2026-1639
Summary
The Taskbuilder plugin for WordPress contains a security flaw that allows an attacker with a subscriber-level account to access sensitive information in the database. This is a serious issue because it could allow a hacker to extract confidential data. To protect your site, update the Taskbuilder plugin to the latest version.
Original title
The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' and 'sort_by' parameters in all versions up to,...
Original description
The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' and 'sort_by' parameters in all versions up to, and including, 5.0.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
nvd CVSS3.1
6.5
Vulnerability type
CWE-89
SQL Injection
- https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.2/includes/admin...
- https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.2/includes/admin...
- https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.2/includes/admin...
- https://www.wordfence.com/threat-intel/vulnerabilities/id/2cfdde5c-f0e3-4597-978...
Published: 18 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026