Vulnerabilities ›

CVE-2026-6225

Medium

CWE-89 — Weakness Type

                    Published: May 14, 2026                      ·  Modified: May 17, 2026                      ·  Source: NVD                

CVSS v3

6.5

🔗 NVD Official

📄 Description (English)

The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'project_search' parameter in all versions up to, and including, 5.0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

🤖 AI Executive Summary

The Taskbuilder WordPress plugin versions up to 5.0.6 contains a time-based blind SQL injection vulnerability in the 'project_search' parameter that allows authenticated attackers to extract sensitive database information. Attackers with Subscriber-level access can exploit insufficient escaping and lack of prepared statements to append malicious SQL queries.

📄 Description (Arabic)

ثغرة حقن SQL العمياء المعتمدة على الوقت في إضافة Taskbuilder للمشاريع والمهام في WordPress تسمح للمهاجمين المصرح لهم بمستوى المشترك فما فوق باستخراج البيانات الحساسة من قاعدة البيانات. تنتج الثغرة عن عدم كفاية الهروب من المعاملات المدخلة من قبل المستخدم وعدم استخدام جمل SQL معدة مسبقاً.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 16, 2026 02:00

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government banking telecom healthcare

🎯 MITRE ATT&CK Techniques

T1190 T1110 T1040

⚖️ Saudi Risk Score (AI)

7.0

/ 10.0

🔧 Remediation Steps (English)

Update the Taskbuilder plugin to version 5.0.7 or later immediately. Implement prepared statements for all database queries, properly escape user input, and apply principle of least privilege to database accounts. Monitor database logs for suspicious query patterns and restrict plugin access to trusted users only.

🔧 خطوات المعالجة (العربية)

قم بتحديث إضافة Taskbuilder إلى الإصدار 5.0.7 أو أحدث فوراً. طبق جمل SQL معدة مسبقاً لجميع استعلامات قاعدة البيانات، وتحقق بشكل صحيح من مدخلات المستخدم، وطبق مبدأ أقل صلاحية لحسابات قاعدة البيانات. راقب سجلات قاعدة البيانات للاستعلامات المريبة وقيد الوصول إلى الإضافة للمستخدمين الموثوقين فقط.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

3.1.1 3.2.1 3.2.2

🔵 SAMA CSF

ID.RA-1 PR.DS-1 PR.DS-2

🟡 ISO 27001:2022

A.12.6.1 A.14.2.1 A.14.2.5

🔗 References & Sources 2

🔗

https://plugins.trac.wordpress.org/changeset/3507782/taskbuilder

security@wordfence.com

🔗

https://www.wordfence.com/threat-intel/vulnerabilities/id/561479ed-2402-4511-9344-d6b9e...

security@wordfence.com

📊 CVSS Score

6.5

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredL — Low / Local

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityH — High

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score6.5

CWECWE-89

EPSS0.03%

Exploit No

Patch ✗ No

Published 2026-05-14

Source Feed nvd

🇸🇦 Saudi Risk Score

7.0

/ 10.0 — Saudi Risk

Priority: HIGH

🏷️ Tags

CWE-89

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-6225

Introduce Yourself

Sign In Required