{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-2351", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-02-11T16:25:09.019Z", "datePublished": "2026-03-21T03:27:03.476Z", "dateUpdated": "2026-04-08T17:24:11.108Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:11.108Z"}, "affected": [{"vendor": "eoxia", "product": "Task Manager", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.0.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}], "title": "Task Manager <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Read", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd959968-d3f0-4546-8fc6-eb451b417f0d?source=cve"}, {"url": "https://wordpress.org/plugins/task-manager/"}, {"url": "https://plugins.trac.wordpress.org/browser/task-manager/trunk/module/import/action/class-import-action.php#L203"}, {"url": "https://plugins.trac.wordpress.org/browser/task-manager/tags/3.0.2/module/import/action/class-import-action.php#L203"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-73 External Control of File Name or Path", "cweId": "CWE-73", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "timeline": [{"time": "2026-03-20T15:08:35.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-23T17:50:32.152858Z", "id": "CVE-2026-2351", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:51:32.643Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-2351", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-23T17:50:32.152858Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-23T17:51:19.901Z"}}], "cna": {"title": "Task Manager <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Read", "credits": [{"lang": "en", "type": "finder", "value": "Youcef Hamdani"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 6.5, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "affected": [{"vendor": "eoxia", "product": "Task Manager", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.0.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2026-03-20T15:08:35.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd959968-d3f0-4546-8fc6-eb451b417f0d?source=cve"}, {"url": "https://wordpress.org/plugins/task-manager/"}, {"url": "https://plugins.trac.wordpress.org/browser/task-manager/trunk/module/import/action/class-import-action.php#L203"}, {"url": "https://plugins.trac.wordpress.org/browser/task-manager/tags/3.0.2/module/import/action/class-import-action.php#L203"}], "descriptions": [{"lang": "en", "value": "The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-73", "description": "CWE-73 External Control of File Name or Path"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:24:11.108Z"}}}, "cveMetadata": {"cveId": "CVE-2026-2351", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:24:11.108Z", "dateReserved": "2026-02-11T16:25:09.019Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-03-21T03:27:03.476Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information."}, {"lang": "es", "value": "El plugin Task Manager para WordPress es vulnerable a la lectura arbitraria de archivos en todas las versiones hasta la 3.0.2, inclusive, a trav\u00e9s de la funci\u00f3n callback_get_text_from_url(). Esto permite a atacantes autenticados, con acceso de nivel Suscriptor y superior, leer el contenido de archivos arbitrarios en el servidor, que pueden contener informaci\u00f3n sensible."}], "id": "CVE-2026-2351", "lastModified": "2026-04-22T21:32:08.360", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-03-21T04:16:58.533", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/task-manager/tags/3.0.2/module/import/action/class-import-action.php#L203"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/task-manager/trunk/module/import/action/class-import-action.php#L203"}, {"source": "security@wordfence.com", "url": "https://wordpress.org/plugins/task-manager/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/cd959968-d3f0-4546-8fc6-eb451b417f0d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-73"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Task Manager", "source": "cna", "vendor": "eoxia"}, "product": "task_manager", "vendor": "eoxia"}, {"configurations": [{"platform": null, "status": "unaffected", "versions": null}], "enrichment": {"confidence": 80.0, "confidence_source": "inferred", "scores": [{"score": 80.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "product": "wordpress", "vendor": "wordpress"}], "analysis": {"en": {"generated_at": "2026-03-21T07:12:51.491586+00:00", "value": {"mitigation_remediation": ["Upgrade the Task Manager plugin to any version newer than 3.0.2.", "If an upgrade cannot be performed immediately, temporarily deactivate or remove the plugin to stop the exploit.", "Review and tighten permissions for Subscriber and other user roles to prevent unnecessary file read capability."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary File Read"}, "threat_synthesis": {"affected_systems": "The affected product is the Task Manager plugin by eoxia, distributed through WordPress. All releases up to and including version 3.0.2 are vulnerable; any WordPress site running those versions is at risk.", "description_and_impact": "Task Manager, a WordPress plugin, contains a flaw in its callback_get_text_from_url() function that allows an authenticated user with Subscriber or higher permissions to supply a file path and retrieve the file\u2019s contents. This local file inclusion vulnerability (CWE\u201173) can expose sensitive configuration data, credentials, or other confidential information, compromising the confidentiality of the hosting environment without giving code execution rights.", "risk_and_exploitability": "The vulnerability carries a CVSS score of 6.5, indicating moderate severity. Because an attacker must first authenticate, the practical risk depends on how widely Subscriber or higher role users can read server files. No evidence of widespread exploitation has been reported, and the flaw is not listed in CISA\u2019s known\u2011exploited\u2011vulnerabilities catalog. Nonetheless, unpatched sites remain susceptible to secrets disclosure if the plugin remains at a vulnerable version."}}}}, "created": "2026-03-23T09:50:00.293610+00:00", "updated": "2026-03-25T14:41:40.573192+00:00", "vendors": ["eoxia", "eoxia$PRODUCT$task_manager", "wordpress", "wordpress$PRODUCT$wordpress"]}