CVE-2024-9831: 
WordPress vulnerability analysis and mitigation

The Taskbuilder WordPress plugin before version 3.0.9 contains a SQL injection vulnerability that affects administrative users. The vulnerability was discovered and publicly disclosed on September 18, 2024, and was assigned CVE-2024-9831. This security issue specifically affects the WordPress plugin Taskbuilder in versions prior to 3.0.9 (WPScan).

The vulnerability stems from improper sanitization and escaping of a parameter before its use in SQL statements. Specifically, when cloning a task, the 'task_id' parameter is vulnerable to time-based SQL injection. The CVSS v3.1 score for this vulnerability is 7.2 (High), with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H, indicating that while the vulnerability requires high privileges, it can potentially lead to significant impact (NVD, Wiz).

The vulnerability allows authenticated administrators to perform SQL injection attacks, which could potentially lead to unauthorized access to the database, data manipulation, or exposure of sensitive information. The high CVSS score indicates serious potential consequences if exploited (WPScan, Wiz).

The vulnerability has been patched in version 3.0.9 of the Taskbuilder plugin. Users are strongly advised to update to this version or later to mitigate the risk (WPScan).