Security Alert Summary
The Taskbuilder 13 WordPress Project Management & Task Management plugin contains an authorization bypass in all versions up to and including 5.0.2. Missing authorization checks in the project and task comment submission functions allow authenticated users with subscriber-level access or higher to create comments on projects and tasks they should not be able to access, and to inject arbitrary HTML and CSS via the comment_body parameter.
CVE Details
- CVE ID: CVE-2026-1640
- Affected plugin or component: Taskbuilder 13 WordPress Project Management & Task Management plugin for WordPress
- Affected versions: All versions up to, and including, 5.0.2
- Published: February 18, 2026 at 7:16:09 AM UTC
- Last modified: February 18, 2026 at 7:16:09 AM UTC
- CVSS v3.1: Base Score 4.3, Severity MEDIUM, Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N - Authentication / privileges / user interaction: Privileges Required: Low (authenticated user, e.g., subscriber-level); User Interaction: None; Attack Vector: Network; Attack Complexity: Low
- Primary impact: Confidentiality: None; Integrity: Low; Availability: None
- CWE / weakness ID: CWE-862 (Missing Authorization)
Technical Details
The vulnerability is an authorization bypass in the comment submission logic for projects and tasks. The CVE description identifies missing authorization checks on the project and task comment submission functions implemented as AJAX actions: wppm_submit_proj_comment and wppm_submit_task_comment. Because the code does not properly verify that the authenticated user is permitted to add a comment to the target project or task, authenticated users with low privilege levels (such as subscribers) can submit comments against projects and tasks they are not assigned to or cannot view.
The submission endpoint also fails to sufficiently sanitize the comment_body parameter, allowing arbitrary HTML and CSS to be included in submitted comments. The immediate technical impact is a loss of integrity for comment content and the potential to display attacker-controlled HTML/CSS within the context of vulnerable pages.
How This Could Impact Your Website
In a typical site setup you may have a site owner or administrator, internal staff who use Taskbuilder to manage projects, and external contractors or contributors with subscriber-level access. An authenticated user with subscriber-level access could submit comments on any project or task, including private projects they cannot otherwise view or are not assigned to. Those comments could contain attacker-controlled HTML or CSS that modifies how content is displayed, inserts deceptive links, or embeds visually convincing elements that could be used for social engineering or targeted phishing.
Practical consequences include misleading content appearing on project or task pages, increased risk that staff or contractors click attacker-provided links, and reputational concerns if malicious content is visible to other users. Confidential data exfiltration is not indicated by the CVE (confidentiality impact is listed as none), but the integrity of displayed content is affected.
If you20 9re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review your setup.
Recommended Actions
- Update the affected plugin as soon as a patched version is available. (The CVE entry does not specify a fixed version.)
- Review and reduce unnecessary user roles and privileges, especially for contributors and other low-privilege accounts.
- Enforce strong passwords and enable two-factor authentication for editors and administrators.
- Remove unused or unmaintained plugins from the site.
- Monitor site activity and logs for unusual comment submissions or unexpected content changes.
If you20 9d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.
References
- https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.2/includes/admin/projects/open_project/wppm_submit_project_comment.php#L6
- https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.2/includes/admin/tasks/open_task/wppm_submit_task_comment.php#L6
- https://www.wordfence.com/threat-intel/vulnerabilities/id/66095908-875f-486d-ae77-6015671872de?source=cve