CVE-2026-52697: WordPress Taskbuilder plugin <= 5.0.7 - SQL Injection vulnerability
Subscriber SQL Injection in Taskbuilder <= 5.0.7 versions.
Metrics
- CVSS v3.1
- 8.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
SQL injection vulnerability in the WordPress Taskbuilder plugin affects all versions up to and including 5.0.7. The vulnerability is reachable over the network and requires only a low-privilege (subscriber-level) account, meaning any registered user can trigger it. Successful exploitation reads confidential data from the underlying database and can partially disrupt service availability. HarborGuard tracks the advisory for patch availability, as no fix version has been published.
HarborGuard Coverage
Detection of CVE-2026-52697 is available across every HarborGuard environment; the CVE is ingested from upstream feeds including Patchstack within minutes of publication and matched against customer images running the Taskbuilder plugin, including custom-built WordPress images. Coverage extends to images at every stage of the pipeline, from registry scan to pre-deployment gate.
AvailableTriage is available with a CVSS v3.1 score of 8.5 (High), weighted against each customer environment's compliance policy to prioritize routing. Findings are surfaced to the appropriate team inbox within each customer organization based on configured escalation rules.
AvailableBecause no upstream fix has been published for CVE-2026-52697, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment a fix version is released. Customers with auto-remediation enabled will receive the rebuild, a regression test run, and a PR opened against affected workloads automatically once a fix becomes available.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The attacker must reach the WordPress service over the network; no local or physical access is needed.
- AuthenticationRequired
A low-privilege account such as a standard subscriber is sufficient; no administrative access is needed.
- Victim interactionNot required
No victim action is needed; the attacker sends crafted requests directly to the vulnerable endpoint.
- Attack complexityDetail
The exploit is reliable and condition-free, requiring no race conditions or special environmental factors.
Blast Radius
- Reads data from the WordPress database, including stored user records, session tokens, and any other tables accessible to the database user.
- The vulnerability scope extends beyond the Taskbuilder plugin itself due to a Changed scope (S:C) rating, meaning the attacker can query data outside the immediate plugin context.
- Partial disruption of service availability is possible, which can cause degraded or intermittent responses from the affected WordPress installation.
How HarborGuard Handles This
Available on HarborGuard: continuous monitoring of the Taskbuilder advisory for CVE-2026-52697, with no fix currently published. HarborGuard re-evaluates the advisory on every ingest cycle so that a patched-image rebuild becomes available the moment Taskbuilder ships a remediated version. For customers with auto-remediation enabled, the rebuild, regression test, and PR against affected workloads will be triggered automatically at that point. In the interim, compensating controls worth considering include network-policy isolation to restrict which roles can reach WordPress endpoints, egress filtering to limit database exposure in multi-tenant environments, and disabling or restricting subscriber-level registration if it is not required by the application. Where compliance policy permits, HarborGuard can flag images containing the affected plugin version as non-compliant to block their promotion to production until a fix is available.
- Taskbuilder / Taskbuilder≤ 5.0.7
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L