CVE-2026-9570 | The Taskbuilder WordPress plugin before 5.0.8 does not prop… | CVSS 7.1 HIGH

Description

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.

Metadata

CVE ID: CVE-2026-9570
State: PUBLISHED
Assigner: WPScan
Reserved: 2026-05-26 11:19 UTC
Published: 2026-06-17 06:00 UTC
Last updated: 2026-06-17 10:45 UTC
Primary CWE: CWE-79
CWE-79 Improper Neutralization of Input During Web Page Gene…
Vendor / Product: Unknown / Taskbuilder
Sources: cve.org · NVD

Severity & Metrics

7.1 HIGH CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

SSVC — CISA Coordinator

Exploitation: PoC
Automatable: no
Tech. Impact: partial

Affected products (1)

Vendor	Product	Platform	Versions
Unknown	Taskbuilder	—	0 < 5.0.8

Weakness (CWE)

CWE	Source	Description
—	cna	CWE-79 Cross-Site Scripting (XSS)
CWE-79	adp	CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CVSS scores (1)

Score	Severity	Version	Source	Vector
7.1	HIGH	3.1	adp	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References (1)

https://wpscan.com/vulnerability/e9abd7eb-39f1-49d7-a70e-b07cf3680399/