Security Alert Summary
The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress contains a SQL injection vulnerability in the wppm_proj_filter parameter. Authenticated users with subscriber-level access and above can reach the vulnerable code path due to missing nonce verification on the wp_ajax_wppm_view_project_tasks handler, and craft input that appends additional SQL to existing queries to extract sensitive information from the database.
CVE Details
- CVE ID:
CVE-2026-12090 - Affected plugin: Taskbuilder – Project Management & Task Management Tool With Kanban Board
- Affected versions: All versions up to and including 5.0.8
- Published: July 1, 2026 at 5:16:16 AM UTC
- Last modified: July 1, 2026 at 1:56:17 PM UTC
- CVSS v3.1: Base Score 6.5 – MEDIUM
- Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N - Attack vector: Network
- Attack complexity: Low
- Privileges required: Low (authenticated user, subscriber-level and above)
- User interaction: None
- Scope: Unchanged
- Impact: Confidentiality: High; Integrity: None; Availability: None
- CWE: CWE-89 (SQL Injection)
Technical Details
The vulnerability is a generic SQL injection in the handling of the wppm_proj_filter parameter. The plugin fails to sufficiently escape or prepare the user-supplied parameter before inserting it into an existing SQL query, allowing an authenticated attacker to append additional SQL statements to the query. The AJAX action handler wp_ajax_wppm_view_project_tasks does not perform nonce verification, so any authenticated session, including subscriber-level accounts, can trigger the vulnerable code path without additional preconditions.
Successful exploitation can be used to extract sensitive information from the database by modifying the query logic through injected SQL. The issue stems from missing input sanitization and lack of prepared statements for the affected parameter.
How This Could Impact Your Website
In a multi-user WordPress site, imagine a site owner, several internal staff members with editor roles, and an external contractor with a subscriber account using the task management plugin. Because subscriber-level access is sufficient to reach the vulnerable code path, a compromised or malicious subscriber account could leverage the injection to read database records beyond their intended access.
Practical consequences include exposure of internal user email addresses and other sensitive records stored in the database, which can increase the risk of targeted phishing or social engineering against staff and contractors. The vulnerability does not, based on the supplied information, indicate modification or deletion of data, but the exposure of confidential data is the primary risk.
If youre unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review of your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available.
- Review and reduce unnecessary user roles, especially contributor and subscriber accounts that do not require access.
- Enforce strong passwords and two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from the site.
- Monitor site activity and database access for unusual behavior or signs of data exfiltration.
If youd like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.6/includes/admin/projects/open_project/wppm_view_project_tasks.php#L181
- https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.6/includes/admin/projects/open_project/wppm_view_project_tasks.php#L21
- https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.6/includes/class-wppm-admin.php#L506
- https://plugins.trac.wordpress.org/browser/taskbuilder/trunk/includes/admin/projects/open_project/wppm_view_project_tasks.php#L181
- https://plugins.trac.wordpress.org/browser/taskbuilder/trunk/includes/admin/projects/open_project/wppm_view_project_tasks.php#L21
- https://plugins.trac.wordpress.org/browser/taskbuilder/trunk/includes/class-wppm-admin.php#L506
- https://plugins.trac.wordpress.org/changeset/3576941/taskbuilder/trunk/includes/admin/projects/open_project/wppm_view_project_tasks.php
- https://plugins.trac.wordpress.org/changeset?old_path=%2Ftaskbuilder/tags/5.0.8&new_path=%2Ftaskbuilder/tags/5.0.9
- https://www.wordfence.com/threat-intel/vulnerabilities/id/d1a78208-0909-4134-bc78-19e395fe7e24?source=cve