WordPress Security Bulletin: Taskbuilder – WordPress Project Management & Task Management plugin (CVE-2026-1639)

On this page

Security Alert Summary

The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress contains a time-based blind SQL injection vulnerability that can be reached via the order and sort_by parameters. Authenticated users with subscriber-level access or higher may be able to extract sensitive information from the site database by appending SQL to existing queries.


CVE Details

  • CVE ID: CVE-2026-1639
  • Affected plugin / component: Taskbuilder – WordPress Project Management & Task Management plugin for WordPress
  • Affected versions: All versions up to and including 5.0.2
  • Published: February 18, 2026 at 6:16:34 AM UTC
  • Last modified: February 18, 2026 at 6:16:34 AM UTC
  • CVSS v3.1: Base Score 6.5, MEDIUM — CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
  • Authentication / privileges / user interaction: Requires authentication with low privileges (subscriber-level or above). No user interaction required.
  • Primary impact: Confidentiality: HIGH; Integrity: NONE; Availability: NONE
  • CWE / weakness: CWE-89 (SQL Injection)

Technical Details

The plugin is vulnerable to a time-based blind SQL Injection via the order and sort_by parameters. According to the vulnerability description, user-supplied values for these parameters are insufficiently escaped and the existing SQL query is not adequately prepared, allowing an attacker to append additional SQL into queries executed by the plugin.

The issue is shown in the plugin code paths referenced in the report (for example, includes/admin/projects/projects_list.php as noted in the references). The vulnerability exists because input from order and sort_by is used in SQL context without proper escaping or use of prepared statements, enabling blind, time-based techniques to infer database data.

Exploitation lets an authenticated low-privileged user execute crafted input that causes the database to reveal information over multiple requests using time delays; the report indicates confidentiality impact only. The disclosure does not claim modification or deletion of data (integrity and availability impacts are listed as none).


How This Could Impact Your Website

In a typical multi-user WordPress site, a site owner manages plugin installations, an internal staff member (editor) performs content work, and external contributors or contractors may have subscriber-level accounts. An attacker who obtains or creates a subscriber-level account can submit requests that exploit the order and sort_by parameters to extract information from the database.

Practical consequences include exposure of user information stored in the database (for example, internal user email addresses or other fields), which can increase the risk of targeted phishing or social engineering against staff and contributors. The vulnerability does not, based on the reported details, indicate direct ability to modify site content or take the site offline, but it does raise confidentiality concerns.

If you’re unsure whether your site is affected or how to assess your current user roles and plugins, it may be worth having a professional review.


Recommended Actions

  • Update the affected plugin as soon as a patched version is available (no fixed version is specified in the CVE entry).
  • Review and reduce unnecessary user roles and permissions; limit the number of accounts with elevated access.
  • Enforce strong passwords and enable two-factor authentication for editors and administrators.
  • Remove unused or unmaintained plugins to reduce the attack surface.
  • Monitor site activity and logs for unusual behavior that could indicate attempts to exploit SQL injection vectors.

If you’d like help reviewing your plugins, user roles, or overall WordPress security posture, our team at Freshy is happy to help.


References