Description
The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Published: 2026-03-21
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary File Read
Action: Immediate Patch
AI Analysis

Impact

Task Manager, a WordPress plugin, contains a flaw in its callback_get_text_from_url() function that allows an authenticated user with Subscriber or higher permissions to supply a file path and retrieve the file’s contents. This local file inclusion vulnerability (CWE‑73) can expose sensitive configuration data, credentials, or other confidential information, compromising the confidentiality of the hosting environment without giving code execution rights.

Affected Systems

The affected product is the Task Manager plugin by eoxia, distributed through WordPress. All releases up to and including version 3.0.2 are vulnerable; any WordPress site running those versions is at risk.

Risk and Exploitability

The vulnerability carries a CVSS score of 6.5, indicating moderate severity. Because an attacker must first authenticate, the practical risk depends on how widely Subscriber or higher role users can read server files. No evidence of widespread exploitation has been reported, and the flaw is not listed in CISA’s known‑exploited‑vulnerabilities catalog. Nonetheless, unpatched sites remain susceptible to secrets disclosure if the plugin remains at a vulnerable version.

Generated by OpenCVE AI on March 21, 2026 at 07:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Task Manager plugin to any version newer than 3.0.2.
  • If an upgrade cannot be performed immediately, temporarily deactivate or remove the plugin to stop the exploit.
  • Review and tighten permissions for Subscriber and other user roles to prevent unnecessary file read capability.

Generated by OpenCVE AI on March 21, 2026 at 07:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Eoxia
Eoxia task Manager
Wordpress
Wordpress wordpress
Vendors & Products Eoxia
Eoxia task Manager
Wordpress
Wordpress wordpress

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Title Task Manager <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Read
Weaknesses CWE-73
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Eoxia Task Manager
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:24:11.108Z

Reserved: 2026-02-11T16:25:09.019Z

Link: CVE-2026-2351

cve-icon Vulnrichment

Updated: 2026-03-23T17:51:19.901Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-21T04:16:58.533

Modified: 2026-03-23T14:32:02.800

Link: CVE-2026-2351

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:41:40Z

Weaknesses