CVE-2026-9570

HIGH 7.1

Taskbuilder < 5.0.8 - Reflected XSS via Shortcode

CVSS Score

7.1

EPSS Score

0.0%

EPSS Percentile

0th

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.

Vendor	unknown
Product	taskbuilder
Published	Jun 17, 2026
Last Updated	Jun 17, 2026

Stay Ahead of the Next One

Get instant alerts for unknown taskbuilder

Be the first to know when new high vulnerabilities affecting unknown taskbuilder are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Unknown / Taskbuilder

0 < 5.0.8

References

NVD ↗ CVE.org ↗ EPSS Data ↗

wpscan.com: https://wpscan.com/vulnerability/e9abd7eb-39f1-49d7-a70e-b07cf3680399/

Credits

Luca Jungnickel WPScan