CVE-2025-22716
Published: 21 January 2025
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in taskbuilder Taskbuilder taskbuilder allows SQL Injection.This issue affects Taskbuilder: from n/a through <= 3.0.6.
Security Summary
CVE-2025-22716 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the Taskbuilder WordPress plugin. The issue impacts versions from an unspecified starting point through 3.0.6. Published on 2025-01-21 with a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), it enables attackers to manipulate SQL queries due to inadequate input sanitization.
An authenticated attacker with low privileges can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows high-impact confidentiality breaches, such as unauthorized access to sensitive data in the database, while also causing low-impact availability disruption; the changed scope (S:C) indicates potential effects on other system components beyond the plugin itself.
The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/taskbuilder/vulnerability/wordpress-taskbuilder-plugin-3-0-6-sql-injection-vulnerability?_s_id=cve provides details on this WordPress plugin vulnerability, including recommended mitigations such as updating to a patched version where available. Security practitioners should consult the advisory for specific patch information and hardening guidance.
Details
- CWE(s)