– Proof of Concept - Atomic Edge

Atomic Edge analysis of CVE-2026-1639:
This vulnerability is an authenticated time-based blind SQL injection in the Taskbuilder WordPress plugin, affecting versions up to and including 5.0.2. The flaw resides in the project and task listing functionality, allowing attackers with subscriber-level access or higher to inject malicious SQL payloads via the ‘order’ and ‘sort_by’ parameters. The CVSS score of 6.5 reflects the combination of authenticated access requirement and the ability to extract sensitive database information.

Root Cause:
The vulnerability originates from insufficient input validation and insecure SQL query construction in two primary files: ‘taskbuilder/includes/admin/projects/projects_list.php’ and ‘taskbuilder/includes/admin/tasks/wppm_tasks_list.php’. In the vulnerable code, user-supplied ‘sort_by’ and ‘order’ parameters from POST requests are directly incorporated into SQL ORDER BY clauses using esc_sql() for sanitization, which is inadequate for preventing SQL injection. The ‘sort_by’ parameter undergoes conditional mapping to column names (lines 51-61 in projects_list.php and similar logic in wppm_tasks_list.php), but this mapping lacks proper validation. The final query concatenation at line 133 in projects_list.php (‘ORDER BY $sort_by $order’) and equivalent lines in wppm_tasks_list.php allows attackers to inject arbitrary SQL expressions.

Exploitation:
Attackers can exploit this vulnerability by sending authenticated POST requests to the project or task listing endpoints with malicious ‘sort_by’ and ‘order’ parameters. For projects, the endpoint is likely accessed via admin-ajax.php with an action parameter triggering the projects_list.php logic. Attackers would craft payloads like ‘sort_by=(SELECT SLEEP(5))’ and ‘order=ASC’ to perform time-based blind SQL injection. The injection occurs in the ORDER BY clause, enabling attackers to extract database information through conditional time delays using functions like SLEEP(), BENCHMARK(), or conditional subqueries with time delays.

Patch Analysis:
The patch introduces a whitelist-based validation mechanism for the ‘sort_by’ parameter. In projects_list.php lines 52-70, the code replaces the vulnerable conditional mapping with an associative array ‘$allowed_sort_by’ containing pre-defined safe column mappings. User input is sanitized with sanitize_text_field() and then mapped to this whitelist using array key lookup with a fallback default. The ‘order’ parameter is validated to accept only ‘ASC’ or ‘DESC’ values. The patch removes the insecure esc_sql() calls on lines 133-134 (previously lines 135-136) since the validated values are now safe for direct SQL inclusion. Similar fixes appear in wppm_tasks_list.php lines 101-128, implementing the same whitelist approach for task listings.

Impact:
Successful exploitation enables authenticated attackers to perform time-based blind SQL injection attacks against the WordPress database. Attackers can extract sensitive information including user credentials, personal data, plugin-specific configuration, and other database contents. While the vulnerability requires subscriber-level authentication, this low-privilege access is commonly available in WordPress installations. The attack could lead to full database compromise, credential theft, and potential privilege escalation if administrative credentials are extracted.