CVE-2026-2289
📋 TL;DR
The Taskbuilder WordPress plugin is vulnerable to stored cross-site scripting (XSS) in admin settings. Authenticated attackers with administrator privileges can inject malicious scripts that execute when users view affected pages. This only impacts WordPress multi-site installations or sites where unfiltered_html capability is disabled.
💻 Affected Systems
- WordPress Taskbuilder plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Administrator account compromise leading to full site takeover, data theft, or malware distribution to site visitors.
Likely Case
Session hijacking, credential theft, or defacement of admin pages by malicious administrators.
If Mitigated
Limited impact due to requirement of administrator credentials and specific WordPress configurations.
🎯 Exploit Status
Requires administrator-level WordPress credentials and specific WordPress configuration conditions.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 5.0.4 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3468819%40taskbuilder&new=3468819%40taskbuilder&sfp_email=&sfph_mail=
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find Taskbuilder plugin. 4. Click 'Update Now' if available. 5. Alternatively, download latest version from WordPress plugin repository and manually update.
🔧 Temporary Workarounds
Enable unfiltered_html for administrators
allEnable the unfiltered_html capability for administrator users in WordPress, which prevents this vulnerability from being exploitable.
Add to wp-config.php: define('DISALLOW_UNFILTERED_HTML', false);
Disable Taskbuilder plugin
linuxTemporarily disable the Taskbuilder plugin until patched.
wp plugin deactivate taskbuilder
🧯 If You Can't Patch
- Restrict administrator account access to trusted personnel only
- Implement web application firewall (WAF) rules to block XSS payloads
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Taskbuilder → Version. If version is 5.0.3 or earlier, system is vulnerable if multi-site or unfiltered_html disabled.Check Version:
wp plugin get taskbuilder --field=versionVerify Fix Applied:
Confirm Taskbuilder plugin version is 5.0.4 or later in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual admin activity modifying Taskbuilder settings
- Suspicious script tags in admin page requests
Network Indicators:
- Unexpected JavaScript payloads in admin area requests
SIEM Query:
source="wordpress" AND (uri_path="/wp-admin/admin.php" OR uri_path CONTAINS "taskbuilder") AND (http_user_agent CONTAINS "<script>" OR post_data CONTAINS "<script>")🔗 References
- https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.1/includes/admin/email_notifications/wppm_get_en_general_setting.php#L30
- https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.1/includes/class-wppm-functions.php#L19
- https://plugins.trac.wordpress.org/browser/taskbuilder/trunk/includes/admin/email_notifications/wppm_get_en_general_setting.php#L30
- https://plugins.trac.wordpress.org/browser/taskbuilder/trunk/includes/class-wppm-functions.php#L19
- https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3468819%40taskbuilder&new=3468819%40taskbuilder&sfp_email=&sfph_mail=
- https://www.wordfence.com/threat-intel/vulnerabilities/id/81e26924-c9eb-4ddf-89e3-a8bf95d23b78?source=cve
