How to fix CVE-2025-60078?

Within 24 hours: identify all WordPress instances running Task Manager plugin ≤3.0.2 using vulnerability scanning or plugin audit tools; disable or deactivate the plugin immediately pending a security update. Within 7 days: monitor Patchstack and the plugin vendor (Agence web Eoxia) for a patched version; contact the vendor directly for remediation timeline if no update is published. Within 30 days: upgrade to a patched version when released, or select an alternative plugin if the vendor does not provide a timely fix.

Is PHP affected by CVE-2025-60078?

The Task Manager WordPress plugin (versions ≤3.0.2) contains an unauthenticated local file inclusion vulnerability that enables attackers to read arbitrary files from affected servers, potentially exposing sensitive configuration files, database credentials, and other confidential data.

CVE-2025-60078

HIGH

2025-12-18 [email protected]

7.5

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

None

Availability

None

Lifecycle Timeline

Analysis Generated

Apr 01, 2026 - 15:22 vuln.today

CVE Published

Dec 18, 2025 - 08:16 nvd

HIGH 7.5

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia – Montpellier Task Manager task-manager allows PHP Local File Inclusion.This issue affects Task Manager: from n/a through <= 3.0.2.

Analysis

Local file inclusion (LFI) in Task Manager WordPress plugin versions ≤3.0.2 allows unauthenticated remote attackers to read arbitrary files from the server through improper filename control in PHP include/require statements. With a 7.5 CVSS score but only 0.06% EPSS (18th percentile), this represents high theoretical impact with low observed exploitation probability. No confirmed active exploitation (not in CISA KEV) or public exploit code identified at time of analysis. Patchstack security research disclosed this vulnerability affecting the Agence web Eoxia Task Manager plugin.

Technical Context

This vulnerability stems from CWE-98 (Improper Control of Filename for Include/Require Statement), commonly called PHP local/remote file inclusion. The flaw occurs when user-controllable input is passed unsanitized to PHP include(), require(), or similar functions that dynamically load files. While classified as 'PHP Remote File Inclusion' in the description, the tags and technical indicators suggest Local File Inclusion behavior, where attackers manipulate file path parameters to traverse the filesystem and include local files outside the intended directory scope. The Task Manager WordPress plugin (developed by Agence web Eoxia - Montpellier) fails to properly validate or sanitize filename parameters before processing them in PHP include/require operations. This allows path traversal sequences like '../../../' to escape restricted directories and access sensitive files such as wp-config.php, /etc/passwd, or other configuration files containing credentials and system information. The CVSS vector's High Confidentiality impact (C:H) with no Integrity or Availability impact confirms this is primarily an information disclosure vulnerability rather than a code execution scenario.

Affected Products

The vulnerability impacts Task Manager WordPress plugin developed by Agence web Eoxia - Montpellier, specifically all versions up to and including 3.0.2. The affected version range is documented as 'from n/a through 3.0.2', indicating the flaw exists in version 3.0.2 and likely earlier releases, though the initial vulnerable version is not specified in available data. This plugin provides task and project management functionality for WordPress installations. Users running Task Manager version 3.0.2 or earlier on WordPress sites are affected. The Patchstack vulnerability database entry provides additional context at https://patchstack.com/database/Wordpress/Plugin/task-manager/vulnerability/wordpress-task-manager-plugin-3-0-2-local-file-inclusion-vulnerability?_s_id=cve, though specific CPE identifiers were not provided in the available intelligence data.

Remediation

Administrators should immediately upgrade Task Manager plugin to a version newer than 3.0.2 that addresses this local file inclusion vulnerability. While the available data confirms the vulnerability affects versions through 3.0.2, the exact patched version number was not specified in the intelligence sources provided. Administrators should check the official plugin repository or vendor advisory for the latest secure release. As an immediate mitigation measure before patching, consider temporarily disabling the Task Manager plugin if not actively required for business operations. Review web server and WordPress access logs for suspicious requests containing path traversal patterns (../../, encoded variations like %2e%2e%2f, or attempts to access system files like wp-config.php or /etc/passwd) to identify potential exploitation attempts. Implement web application firewall rules to block requests with path traversal sequences targeting the plugin directory. After patching, verify that no configuration files or sensitive data were exposed by reviewing server logs from the period the vulnerability was present. Additional details and patching guidance available at the Patchstack advisory: https://patchstack.com/database/Wordpress/Plugin/task-manager/vulnerability/wordpress-task-manager-plugin-3-0-2-local-file-inclusion-vulnerability?_s_id=cve

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.1

CVSS: +38

POC: 0

CVE-2025-60078 vulnerability details – vuln.today

Back

CVE-2025-60078

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-60078

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code