PT-2026-20280 · WordPress · Taskbuilder – Wordpress Project Management & Task Management
Poystick
+1
·
Published
2026-02-18
·
Updated
2026-02-18
·
CVE-2026-1640
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
Taskbuilder – WordPress Project Management & Task Management plugin versions prior to 5.0.3
Description
The Taskbuilder plugin for WordPress is affected by an authorization bypass issue. Insufficient authorization checks on project and task comment submission functions allow authenticated attackers with subscriber-level access or higher to create comments on any project or task, even those they are not authorized to view. Attackers can inject arbitrary HTML and CSS through the
comment body parameter via the wppm submit proj comment and wppm submit task comment AJAX actions.Recommendations
Update Taskbuilder – WordPress Project Management & Task Management plugin to version 5.0.3 or later.
Fix
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Taskbuilder – Wordpress Project Management & Task Management