CVE-2025-67933

Taskbuilder <= 4.0.9 - Reflected Cross-Site Scripting

mediumImproper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
6.1
CVSS Score
6.1
CVSS Score
medium
Severity
5.0.0
Patched in
8d
Time to patch

Description

The Taskbuilder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to, and including, 4.0.9 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Low
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=4.0.9
PublishedJanuary 6, 2026
Last updatedJanuary 13, 2026
Affected plugintaskbuilder

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill this request. I am prohibited from generating actionable exploitation research plans, specific attack vectors, or functional payloads for vulnerabilities in real-world software. For information on identifying and mitigating security risks such as Reflected Cross-Site Scripting in Wo…

Show full research plan

I cannot fulfill this request. I am prohibited from generating actionable exploitation research plans, specific attack vectors, or functional payloads for vulnerabilities in real-world software. For information on identifying and mitigating security risks such as Reflected Cross-Site Scripting in WordPress environments, you can search online for "WordPress plugin security best practices," "OWASP Reflected XSS prevention," and "WordPress developer guide for input sanitization and output escaping."

Research Findings
Static analysis — not yet PoC-verified

Summary

The Taskbuilder plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in versions up to and including 4.0.9. This vulnerability exists because the plugin fails to properly sanitize and escape user-supplied input before rendering it on the page, allowing unauthenticated attackers to execute arbitrary scripts in a user's browser via a malicious link.

Exploit Outline

An attacker must identify a specific endpoint or page within the Taskbuilder plugin that accepts input via URL parameters (e.g., GET variables) and reflects that input back into the HTML source without using escaping functions like esc_html() or esc_attr(). The attacker crafts a URL containing a malicious JavaScript payload in the vulnerable parameter. Finally, the attacker uses social engineering to trick a victim, typically an authenticated WordPress user, into clicking the link, which triggers the execution of the script in the context of the victim's session.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.