How is CVE-2026-9570 exploited?

Network reachability (required): The attacker must deliver a crafted URL to a victim over the network, reaching any frontend page where a Taskbuilder shortcode is rendered. Authentication (not-required): No credentials are required on the attacker's side; the attacker constructs a malicious link that anyone can send. Victim interaction (required): A logged-in WordPress user must click or follow the attacker's crafted URL for the reflected payload to execute in their browser session. Attack complexity (info): The exploit is reliable and condition-free once the crafted URL is delivered; no race conditions or special environmental factors are needed.

What is the impact of CVE-2026-9570?

Reads session cookies or authentication tokens belonging to the logged-in victim, enabling account takeover. Injects and executes arbitrary JavaScript in the victim's browser, allowing modification of visible page content. Can submit authenticated actions (form submissions, settings changes) silently on behalf of the victim within the same WordPress session. Causes limited disruption to the affected page's functionality as rendered in the victim's browser.

Back to search

HIGHCVE-2026-9570Published 2026-06-17Modified 2026-06-17CNA WPScan

CVE-2026-9570: Taskbuilder < 5.0.8 - Reflected XSS via Shortcode

Q: What is CVE-2026-9570?

Reflected Cross-Site Scripting (XSS) affects the Taskbuilder WordPress plugin in versions before 5.0.8. The vulnerability is reachable over the network with no authentication required on the attacker's part, but it requires a logged-in user to visit a crafted URL. Successful exploitation lets an attacker execute arbitrary JavaScript in the victim's browser session, enabling session token theft, page content tampering, and limited disruption of the affected page. A patched-image rebuild at version 5.0.8 is available on HarborGuard for environments running an affected version of this plugin.

Q: How is CVE-2026-9570 fixed?

A patched-image rebuild at Taskbuilder version 5.0.8 becomes available on HarborGuard as soon as the fix version is confirmed against a matched image. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs a regression test pass, and opens a PR against the affected workloads without manual intervention.

The Taskbuilder WordPress plugin before 5.0.8 does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.

CVSS v3.1: 7.1
Severity: HIGH
Fixed in: 5.0.8
Affected Products: 1

HarborGuard Analysis

Synopsis

Reflected Cross-Site Scripting (XSS) affects the Taskbuilder WordPress plugin in versions before 5.0.8. The vulnerability is reachable over the network with no authentication required on the attacker's part, but it requires a logged-in user to visit a crafted URL. Successful exploitation lets an attacker execute arbitrary JavaScript in the victim's browser session, enabling session token theft, page content tampering, and limited disruption of the affected page. A patched-image rebuild at version 5.0.8 is available on HarborGuard for environments running an affected version of this plugin.

HarborGuard Coverage

Detection

Detection of CVE-2026-9570 is available across every HarborGuard environment. The CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built WordPress images that bundle the Taskbuilder plugin.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 7.1 (HIGH) and weighting it against each environment's compliance policy to determine urgency. Triage routing to the appropriate team inbox within each customer organization is available automatically based on policy configuration.

Available

Patch

A patched-image rebuild at Taskbuilder version 5.0.8 becomes available on HarborGuard as soon as the fix version is confirmed against a matched image. For customers who opt into auto-remediation, HarborGuard rebuilds the affected image, runs a regression test pass, and opens a PR against the affected workloads without manual intervention.

Available

Exploit Conditions

Network reachabilityRequired
The attacker must deliver a crafted URL to a victim over the network, reaching any frontend page where a Taskbuilder shortcode is rendered.
AuthenticationNot required
No credentials are required on the attacker's side; the attacker constructs a malicious link that anyone can send.
Victim interactionRequired
A logged-in WordPress user must click or follow the attacker's crafted URL for the reflected payload to execute in their browser session.
Attack complexityDetail
The exploit is reliable and condition-free once the crafted URL is delivered; no race conditions or special environmental factors are needed.

Blast Radius

Reads session cookies or authentication tokens belonging to the logged-in victim, enabling account takeover.
Injects and executes arbitrary JavaScript in the victim's browser, allowing modification of visible page content.
Can submit authenticated actions (form submissions, settings changes) silently on behalf of the victim within the same WordPress session.
Causes limited disruption to the affected page's functionality as rendered in the victim's browser.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-9570 is active across all connected registries and pipelines the moment the CVE entered upstream feeds, with coverage extending to custom-built WordPress images that bundle the Taskbuilder plugin. For environments where a match is found, a rebuilt image pinned to Taskbuilder 5.0.8 is made available. For customers who opt into auto-remediation, HarborGuard rebuilds the matched image, runs a regression test suite, and opens a PR against affected workloads; for HIGH-severity issues, the median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where auto-remediation is not enabled, the finding appears in the triage queue scored at CVSS 7.1 (HIGH) and routed according to each organization's compliance policy, so the responsible team can act on the upgrade to 5.0.8 directly.

See how HarborGuard automates this

Fix available

5.0.8

Affected packages

Unknown / Taskbuilder
< 5.0.8 (from 0)

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L

References

wpscan.com

Metrics

Get notified

HarborGuard Analysis

Synopsis

HarborGuard Coverage

Exploit Conditions

Blast Radius

How HarborGuard Handles This

Fix available