cleantalk
Vulnerabilities and Security Researches

Taskbuilder – WordPress Project & Task Management plugin, CVE-2026-1639

CVE, Research URL

CVE-2026-1639

Home page URL

Security reports for Taskbuilder – WordPress Project & Task Management plugin

Application

Taskbuilder – WordPress Project & Task Management plugin

Published on
Feb 18, 2026
Research Description
The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'order' and 'sort_by' parameters in all versions up to, and including, 5.0.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Affected versions
max 5.0.3.
Status
vulnerable
Previous vulnerability researches
CubeWP – All-in-One Dynamic Content Framework (CVE-2024-48039) , Oct 12, 2024
CubeWP – All-in-One Dynamic Content Framework (CVE-2025-4315) , Jun 15, 2025
CubeWP – All-in-One Dynamic Content Framework (CVE-2025-30994) , Jun 15, 2025
CubeWP – All-in-One Dynamic Content Framework (CVE-2025-6461) , Apr 15, 2026
CubeWP – All-in-One Dynamic Content Framework (CVE-2025-68036) , Jan 10, 2026
New vulnerability
AMP Enhancer – Compatibility Layer for Official AMP Plugin (CVE-2026-2027) , Apr 16, 2026
WaveSurfer-WP (CVE-2026-1909) , Apr 16, 2026
xmlrpc attacks blocker (CVE-2026-2502) , Apr 16, 2026
Templately – Gutenberg & Elementor Template Library: 5000+ Free & Pro Ready Templates & Cloud! (CVE-2026-0831) , Apr 16, 2026
iRobots.txt SEO (CVE-2025-68840) , Apr 16, 2026