CVE-2026-9570
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-17

Last updated on: 2026-06-17

Assigner: WPScan

Description
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-17
Last Modified
2026-06-17
Generated
2026-06-17
AI Q&A
2026-06-17
EPSS Evaluated
N/A
NVD
CVE-2026-9570
EUVD
EUVD-2026-37559
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
taskbuilder wordpress_plugin to 5.0.8 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Taskbuilder WordPress plugin before version 5.0.8 contains a Reflected Cross-Site Scripting (XSS) vulnerability. This happens because the plugin does not properly sanitize a URL parameter before inserting it into inline JavaScript on a frontend page that uses one of its shortcodes. As a result, an attacker can craft a malicious URL that, when visited by any logged-in user, causes malicious scripts to execute in their browser.

Specifically, an admin must first create a page with the [wppm_projects] shortcode, and then a subscriber or other logged-in user can trigger the XSS by visiting the malicious link.

Impact Analysis

This vulnerability can lead to the execution of malicious scripts in the context of a logged-in user's browser. This can result in unauthorized actions such as stealing session cookies, performing actions on behalf of the user, or redirecting the user to malicious sites.

Because the vulnerability affects any logged-in user, it can compromise user accounts and potentially escalate privileges or disrupt the normal operation of the WordPress site.

Detection Guidance

This vulnerability can be detected by checking if your WordPress site uses the Taskbuilder plugin version prior to 5.0.8 and if any pages contain the [wppm_projects] shortcode.

To detect potential exploitation attempts on your system or network, you can monitor HTTP requests for suspicious URL parameters passed to pages containing the shortcode, especially those that include inline JavaScript injections.

While no specific commands are provided, a general approach includes:

  • Use web server logs to search for requests to pages with the [wppm_projects] shortcode containing suspicious or encoded JavaScript payloads.
  • Use tools like curl or wget to test URLs with crafted parameters to see if the response includes unsanitized script injections.
  • Run a plugin version check via WP-CLI with a command like: wp plugin list | grep taskbuilder to verify the installed version.
Mitigation Strategies

The immediate step to mitigate this vulnerability is to update the Taskbuilder WordPress plugin to version 5.0.8 or later, where the issue has been fixed.

Until the update can be applied, restrict access to pages containing the [wppm_projects] shortcode to trusted users only, and avoid clicking on suspicious links that may exploit this vulnerability.

Additionally, consider implementing Web Application Firewall (WAF) rules to block suspicious requests containing malicious script payloads targeting this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9570. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart