CVE-2026-9570
HighCVSS 7.1Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitize a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.
Risk Assessment
The organization may be exposed to XSS attacks, which could lead to the theft of user session data and other sensitive information.
Recommendation
It is recommended to update the Taskbuilder plugin to version 5.0.8 or later to mitigate this vulnerability.
Original NVD description (English source)
The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.

