CVE-2026-1640 in Taskbuilder Plugin
Summary
by MITRE • 02/18/2026
The Taskbuilder – WordPress Project Management & Task Management plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 5.0.2. This is due to missing authorization checks on the project and task comment submission functions (AJAX actions: wppm_submit_proj_comment and wppm_submit_task_comment). This makes it possible for authenticated attackers, with subscriber-level access and above, to create comments on any project or task (including private projects they cannot view or are not assigned to), and inject arbitrary HTML and CSS via the insufficiently sanitized comment_body parameter.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 02/18/2026
The vulnerability identified as CVE-2026-1640 affects the Taskbuilder WordPress plugin, specifically targeting versions up to and including 5.0.2. This represents a critical authorization bypass flaw that fundamentally undermines the plugin's access control mechanisms. The issue stems from inadequate validation of user permissions within the plugin's AJAX handling functions, creating a pathway for unauthorized modifications to project and task data. The vulnerability impacts the core security model of the plugin by allowing attackers to circumvent intended access restrictions that should prevent users from commenting on projects and tasks they do not have legitimate access to. This flaw particularly affects the plugin's ability to maintain data confidentiality and integrity, as it enables malicious actors to inject content into systems they should not be able to access.
The technical implementation of this vulnerability resides in the wppm_submit_proj_comment and wppm_submit_task_comment AJAX actions which fail to perform proper authorization checks before processing comment submissions. These functions operate without verifying whether the authenticated user possesses sufficient privileges to comment on the target project or task, effectively removing any access controls that should normally prevent such actions. The insufficient sanitization of the comment_body parameter creates an additional attack vector, allowing malicious users to inject arbitrary HTML and CSS code directly into the comment content. This double vulnerability creates a particularly dangerous scenario where attackers can not only bypass authorization but also potentially execute cross-site scripting attacks against other users who view these malicious comments. The flaw aligns with CWE-863, which addresses "Incorrect Authorization" issues where access control checks are not properly enforced.
The operational impact of this vulnerability extends beyond simple data injection, as it enables authenticated attackers with subscriber-level privileges or higher to manipulate project management data across the entire system. Attackers can create comments on private projects they should not be able to access, potentially leading to information disclosure and data corruption. The ability to inject HTML and CSS content provides a pathway for more sophisticated attacks including phishing attempts, defacement of project pages, and potential escalation of privileges within the plugin's functionality. This vulnerability undermines the trust model of the WordPress project management system, as it allows users to pollute project data with unauthorized content while potentially compromising the integrity of the entire task management workflow. The impact is particularly severe in environments where project data contains sensitive information or where users have varying levels of access permissions.
Organizations utilizing the Taskbuilder plugin should implement immediate mitigations including updating to the latest available version where the authorization bypass has been patched, or applying custom code fixes to enforce proper access controls on the affected AJAX actions. The plugin developers should implement comprehensive input validation and output sanitization measures to prevent HTML injection while ensuring that all user actions are properly authenticated and authorized. Security monitoring should be enhanced to detect unauthorized comment submissions, and access control policies should be reviewed to ensure that only authorized users can interact with specific project data. This vulnerability demonstrates the importance of implementing proper authorization checks in web applications, particularly in plugins that handle sensitive project management data, and aligns with ATT&CK technique T1078 for Valid Accounts and T1566 for Phishing. Regular security audits of WordPress plugins are essential to identify similar authorization bypass vulnerabilities that could compromise the security posture of the entire WordPress installation.