CVE-2026-1640 identifies an authorization bypass vulnerability in the Taskbuilder – WordPress Project Management & Task Management plugin, affecting all versions up to 5.0.2. The vulnerability arises from missing authorization checks on two AJAX endpoints: wppm_submit_proj_comment and wppm_submit_task_comment. These endpoints handle comment submissions on projects and tasks but fail to verify whether the authenticated user has permission to comment on the targeted project or task. As a result, any authenticated user with subscriber-level privileges or higher can submit comments on any project or task, including private ones they are not assigned to or cannot view. Additionally, the comment_body parameter is insufficiently sanitized, allowing injection of arbitrary HTML and CSS, which could be leveraged for content spoofing or UI manipulation attacks. The vulnerability does not directly expose confidential data or allow remote code execution but undermines data integrity and trustworthiness of project/task comments. Exploitation requires authentication but no further user interaction, and the attack surface is broad due to the network-accessible AJAX endpoints. No patches or official fixes have been released at the time of publication, and no active exploitation has been reported. The CVSS v3.1 base score is 4.3 (medium), reflecting low impact on confidentiality and availability but moderate impact on integrity with low attack complexity and privileges required.

For European organizations, this vulnerability can lead to unauthorized modification of project and task comments, potentially causing misinformation, confusion, or manipulation within project management workflows. Attackers could inject misleading or malicious content, affecting team collaboration and decision-making. Although it does not directly expose sensitive data or disrupt service availability, the integrity compromise could facilitate social engineering or phishing attempts by embedding deceptive content in trusted project management tools. Organizations relying heavily on the Taskbuilder plugin for internal project tracking may face operational risks and reputational damage if attackers exploit this flaw. The impact is particularly relevant for sectors with strict compliance and data integrity requirements, such as finance, healthcare, and government agencies. Since exploitation requires authenticated access, insider threats or compromised user accounts pose the greatest risk vectors. The absence of known exploits reduces immediate urgency but does not eliminate the threat, especially in environments with weak user access controls.

European organizations should immediately audit user roles and permissions within WordPress to ensure that subscriber-level accounts are tightly controlled and monitored. Restrict plugin usage to trusted users and consider disabling comment functionality on projects and tasks if not essential. Implement web application firewalls (WAFs) with custom rules to detect and block suspicious AJAX requests targeting the vulnerable endpoints. Employ input validation and sanitization plugins or custom code to filter out malicious HTML and CSS in comment submissions. Monitor logs for unusual comment activity, especially from low-privilege accounts. Plan to update the Taskbuilder plugin promptly once an official patch is released. In the interim, consider applying temporary access restrictions or removing the plugin if feasible. Educate users about the risks of unauthorized content injection and encourage reporting of suspicious project comments. Regularly review WordPress and plugin security advisories to stay informed of updates.