Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4DescriptionCVE.org
The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
AnalysisAI
The Task Manager plugin for WordPress contains an arbitrary file read vulnerability in the callback_get_text_from_url() function that allows authenticated attackers with Subscriber-level privileges and above to read sensitive files from the server. This information disclosure vulnerability affects all versions up to and including 3.0.2 of the eoxia Task Manager plugin. The vulnerability has a CVSS score of 6.5 and presents moderate real-world risk due to its low attack complexity and the prevalence of WordPress installations, though exploitation requires valid user credentials.
Technical ContextAI
The vulnerability exists in the callback_get_text_from_url() function within the Task Manager plugin's import action module (specifically in module/import/action/class-import-action.php at line 203 according to the plugin repository). The root cause is classified under CWE-73 (External Control of File Name or Path), which represents a path traversal or arbitrary file access weakness where user-supplied input is used to construct file paths without proper validation or sanitization. The affected product is identified via CPE as cpe:2.3:a:eoxia:task_manager, indicating this is an application-level vulnerability in a WordPress plugin rather than a core WordPress issue. The vulnerability allows unauthenticated-equivalent access through low-privileged user accounts, making it particularly dangerous in multi-user WordPress environments where subscriber accounts are commonly created.
RemediationAI
The primary remediation is to upgrade the Task Manager plugin to a patched version newer than 3.0.2 immediately through the WordPress dashboard (Plugins > Updates) or via https://wordpress.org/plugins/task-manager/. If an immediate patch is not available, disable the plugin entirely by navigating to Plugins > Installed Plugins and deactivating Task Manager until an update is released. As an interim mitigation, restrict user registration and audit existing subscriber accounts to remove unnecessary low-privileged accounts, reducing the attack surface. Additionally, implement security hardening through a web application firewall (WAF) configured to detect and block path traversal patterns in URL parameters, restrict file system permissions on the WordPress installation to least-privilege principles, and monitor access logs for suspicious patterns related to file inclusion attempts. Consult Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/cd959968-d3f0-4546-8fc6-eb451b417f0d for additional guidance and indicators of compromise.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-73 – External Control of File Name or Path
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-14165
GHSA-3754-c64r-8c26