{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1640", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-01-29T18:12:27.876Z", "datePublished": "2026-02-18T06:42:42.092Z", "dateUpdated": "2026-04-08T16:57:56.438Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:57:56.438Z"}, "affected": [{"vendor": "taskbuilder", "product": "Taskbuilder \u2013 Project Management & Task Management Tool With Kanban Board", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "5.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Taskbuilder \u2013 WordPress Project Management & Task Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.0.2. This is due to missing authorization checks on the project and task comment submission functions (AJAX actions: wppm_submit_proj_comment and wppm_submit_task_comment). This makes it possible for authenticated attackers, with subscriber-level access and above, to create comments on any project or task (including private projects they cannot view or are not assigned to), and inject arbitrary HTML and CSS via the insufficiently sanitized comment_body parameter."}], "title": "Taskbuilder <= 5.0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Project/Task Comment Creation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/66095908-875f-486d-ae77-6015671872de?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.2/includes/admin/projects/open_project/wppm_submit_project_comment.php#L6"}, {"url": "https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.2/includes/admin/tasks/open_task/wppm_submit_task_comment.php#L6"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Tarc\u00edsio Luchesi De Almeida Silva"}], "timeline": [{"time": "2026-01-30T17:24:15.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-02-17T17:31:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-18T14:21:17.967782Z", "id": "CVE-2026-1640", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T14:21:35.209Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1640", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-18T14:21:17.967782Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-18T14:21:32.243Z"}}], "cna": {"title": "Taskbuilder <= 5.0.2 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Project/Task Comment Creation", "credits": [{"lang": "en", "type": "finder", "value": "Tarc\u00edsio Luchesi De Almeida Silva"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "taskbuilder", "product": "Taskbuilder \u2013 WordPress Project Management & Task Management,kanban view", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "5.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-01-30T17:24:15.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-02-17T17:31:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/66095908-875f-486d-ae77-6015671872de?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.2/includes/admin/projects/open_project/wppm_submit_project_comment.php#L6"}, {"url": "https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.2/includes/admin/tasks/open_task/wppm_submit_task_comment.php#L6"}], "descriptions": [{"lang": "en", "value": "The Taskbuilder \u2013 WordPress Project Management & Task Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.0.2. This is due to missing authorization checks on the project and task comment submission functions (AJAX actions: wppm_submit_proj_comment and wppm_submit_task_comment). This makes it possible for authenticated attackers, with subscriber-level access and above, to create comments on any project or task (including private projects they cannot view or are not assigned to), and inject arbitrary HTML and CSS via the insufficiently sanitized comment_body parameter."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-02-18T06:42:42.092Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1640", "state": "PUBLISHED", "dateUpdated": "2026-02-18T14:21:35.209Z", "dateReserved": "2026-01-29T18:12:27.876Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-02-18T06:42:42.092Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Taskbuilder \u2013 WordPress Project Management & Task Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.0.2. This is due to missing authorization checks on the project and task comment submission functions (AJAX actions: wppm_submit_proj_comment and wppm_submit_task_comment). This makes it possible for authenticated attackers, with subscriber-level access and above, to create comments on any project or task (including private projects they cannot view or are not assigned to), and inject arbitrary HTML and CSS via the insufficiently sanitized comment_body parameter."}, {"lang": "es", "value": "El plugin Taskbuilder \u2013 WordPress Project Management &amp; Task Management para WordPress es vulnerable a una omisi\u00f3n de autorizaci\u00f3n en todas las versiones hasta la 5.0.2, inclusive. Esto se debe a la falta de comprobaciones de autorizaci\u00f3n en las funciones de env\u00edo de comentarios de proyectos y tareas (acciones AJAX: wppm_submit_proj_comment y wppm_submit_task_comment). Esto hace posible que atacantes autenticados, con acceso de nivel de suscriptor y superior, creen comentarios en cualquier proyecto o tarea (incluidos proyectos privados que no pueden ver o a los que no est\u00e1n asignados), e inyecten HTML y CSS arbitrarios a trav\u00e9s del par\u00e1metro comment_body insuficientemente saneado."}], "id": "CVE-2026-1640", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-02-18T07:16:09.153", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.2/includes/admin/projects/open_project/wppm_submit_project_comment.php#L6"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/taskbuilder/tags/5.0.2/includes/admin/tasks/open_task/wppm_submit_task_comment.php#L6"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/66095908-875f-486d-ae77-6015671872de?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,5.0.2]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Taskbuilder \u2013 WordPress Project Management & Task Management,kanban view", "source": "cna", "vendor": "taskbuilder"}, "product": "taskbuilder_\u2013_wordpress_project_management_&_task_management,kanban_view", "vendor": "taskbuilder"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-04-15T20:23:44.829535+00:00", "value": {"mitigation_remediation": ["Upgrade Taskbuilder to the latest version available, which removes the missing authorization checks and includes proper sanitization of comment input.", "Restrict subscriber and lower role permissions so that only users with explicit project or task access can invoke the comment submission endpoints.", "Implement server\u2011side sanitization of the comment_body parameter to strip harmful HTML and CSS before storing or rendering it."], "summary": {"action": "Apply patch", "impact": "Authorization bypass with arbitrary content injection"}, "threat_synthesis": {"affected_systems": "All installations of Taskbuilder up through version 5.0.2 are affected. The vulnerability exists in the AJAX handlers that process project and task comment submissions, and it requires the installation of the plugin on a WordPress site.", "description_and_impact": "Taskbuilder for WordPress is vulnerable to an authorization bypass that allows any authenticated user with at least subscriber privileges to add comments to any project or task, including those private or not assigned to them. The comment body is insufficiently sanitized, enabling injection of arbitrary HTML and CSS. This flaw can be abused to compromise the integrity and appearance of the project management interface for users who view the injected content.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate risk, while the EPSS score of less than 1% suggests a low likelihood of current exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Based on the description, the attack vector is a web-based interaction with the plugin\u2019s AJAX endpoints that an authenticated user can reach through the site\u2019s normal interface. The attacker only needs subscriber-level access and can therefore exploit the flaw without prior elevated privileges."}}}}, "created": "2026-02-18T10:32:37.132927+00:00", "updated": "2026-04-15T20:30:13.776874+00:00", "vendors": ["taskbuilder", "taskbuilder$PRODUCT$taskbuilder_\u2013_wordpress_project_management_&_task_management,kanban_view", "wordpress", "wordpress$PRODUCT$wordpress"]}