CVE-2026-52697

Vulnerability

The Taskbuilder plugin for WordPress versions up to and including 5.0.7 is vulnerable to SQL injection, exploitable by authenticated users with subscriber-level privileges [1]. The vulnerability exists in a database query that does not properly sanitize user input.

Exploitation

An attacker must first obtain a subscriber account on the target WordPress site, which is typically low-barrier if registration is enabled [1]. The attacker then sends a crafted request to a vulnerable endpoint, injecting malicious SQL code that the application executes against the database.

Impact

Successful exploitation allows the attacker to read, modify, or delete database contents, including user credentials, posts, and options [1]. This can lead to full site compromise, including administrator account takeover and data exfiltration.

Mitigation

The vendor has released version 5.0.8, which patches the SQL injection [1]. Users should update to this version immediately. If an immediate update is not possible, Patchstack provides a virtual mitigation rule to block exploitation attempts until the update is applied [1].