CVE-2025-22716

High

Published: 21 January 2025

Published

21 January 2025

Modified

23 April 2026

KEV Added

—

Patch

—

CVSS Score 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

EPSS Score 0.0010 26.4th percentile

Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22716 is a high-severity SQL Injection (CWE-89) vulnerability in Taskbuilder Taskbuilder. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly mitigates SQL injection in the Taskbuilder plugin by requiring validation and sanitization of user inputs used in SQL commands.

SI-2 Flaw Remediation good match

prevent

Addresses the specific flaw in Taskbuilder versions through <=3.0.6 by identifying, reporting, and applying timely remediation such as patching.

SI-9 Information Input Restrictions partial match

prevent

Complements input validation by restricting types, amounts, and characteristics of inputs to inhibit SQL injection payloads in the plugin.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The SQL injection vulnerability in a public-facing WordPress plugin directly enables remote exploitation of the web application for unauthorized database access, mapping to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in taskbuilder Taskbuilder taskbuilder allows SQL Injection.This issue affects Taskbuilder: from n/a through <= 3.0.6.

Deeper analysisAI

CVE-2025-22716 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the Taskbuilder WordPress plugin. The issue impacts versions from an unspecified starting point through 3.0.6. Published on 2025-01-21 with a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), it enables attackers to manipulate SQL queries due to inadequate input sanitization.

An authenticated attacker with low privileges can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows high-impact confidentiality breaches, such as unauthorized access to sensitive data in the database, while also causing low-impact availability disruption; the changed scope (S:C) indicates potential effects on other system components beyond the plugin itself.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/taskbuilder/vulnerability/wordpress-taskbuilder-plugin-3-0-6-sql-injection-vulnerability?_s_id=cve provides details on this WordPress plugin vulnerability, including recommended mitigations such as updating to a patched version where available. Security practitioners should consult the advisory for specific patch information and hardening guidance.