cleantalk
Vulnerabilities and Security Researches

Taskbuilder – WordPress Project & Task Management plugin, CVE-2026-2289

CVE, Research URL

CVE-2026-2289

Home page URL

Security reports for Taskbuilder – WordPress Project & Task Management plugin

Application

Taskbuilder – WordPress Project & Task Management plugin

Published on
Mar 04, 2026
Research Description
The Taskbuilder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.0.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.
Affected versions
max 5.0.4.
Status
vulnerable
Previous vulnerability researches
Timeline Block (CVE-2026-1228) , Apr 15, 2026
Timeline Block (CVE-2025-26754) , Feb 18, 2025
New vulnerability
AMP Enhancer – Compatibility Layer for Official AMP Plugin (CVE-2026-2027) , Apr 16, 2026
WaveSurfer-WP (CVE-2026-1909) , Apr 16, 2026
xmlrpc attacks blocker (CVE-2026-2502) , Apr 16, 2026
Templately – Gutenberg & Elementor Template Library: 5000+ Free & Pro Ready Templates & Cloud! (CVE-2026-0831) , Apr 16, 2026
iRobots.txt SEO (CVE-2025-68840) , Apr 16, 2026