Cyber Resilience

CVE-2025-22716

High

Published: 21 January 2025

Published
21 January 2025
Modified
23 April 2026
KEV Added
Patch
CVSS Score v3.1 8.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
EPSS Score 0.0010 26.6th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-22716 is a high-severity SQL Injection (CWE-89) vulnerability in Taskbuilder Taskbuilder. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-22716 is an Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability, classified under CWE-89, affecting the Taskbuilder WordPress plugin. The issue impacts versions from an unspecified starting point through 3.0.6. Published on 2025-01-21 with a CVSS v3.1 base score of 8.5 (AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L), it enables attackers to manipulate SQL queries due to inadequate input sanitization.

An authenticated attacker with low privileges can exploit this vulnerability remotely with low complexity and no user interaction required. Successful exploitation allows high-impact confidentiality breaches, such as unauthorized access to sensitive data in the database, while also causing low-impact availability disruption; the changed scope (S:C) indicates potential effects on other system components beyond the plugin itself.

The Patchstack advisory at https://patchstack.com/database/Wordpress/Plugin/taskbuilder/vulnerability/wordpress-taskbuilder-plugin-3-0-6-sql-injection-vulnerability?_s_id=cve provides details on this WordPress plugin vulnerability, including recommended mitigations such as updating to a patched version where available. Security practitioners should consult the advisory for specific patch information and hardening guidance.

EU & UK References

Vulnerability details

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in taskbuilder Taskbuilder taskbuilder allows SQL Injection.This issue affects Taskbuilder: from n/a through <= 3.0.6.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The SQL injection vulnerability in a public-facing WordPress plugin directly enables remote exploitation of the web application for unauthorized database access, mapping to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-39334Shared CWE-89
CVE-2024-13488Shared CWE-89
CVE-2026-20002Shared CWE-89
CVE-2025-1446Shared CWE-89
CVE-2025-22699Shared CWE-89
CVE-2026-36232Shared CWE-89
CVE-2026-31871Shared CWE-89
CVE-2026-33078Shared CWE-89
CVE-2026-46359Shared CWE-89
CVE-2025-22691Shared CWE-89

Affected Assets

taskbuilder
taskbuilder
≤ 3.0.7

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly mitigates SQL injection in the Taskbuilder plugin by requiring validation and sanitization of user inputs used in SQL commands.

prevent

Addresses the specific flaw in Taskbuilder versions through <=3.0.6 by identifying, reporting, and applying timely remediation such as patching.

prevent

Complements input validation by restricting types, amounts, and characteristics of inputs to inhibit SQL injection payloads in the plugin.

References