Skip to main content

WordPress CVE-2026-2351

| EUVDEUVD-2026-14165 MEDIUM
External Control of File Name or Path (CWE-73)
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 21, 2026 - 04:00 euvd
EUVD-2026-14165
Analysis Generated
Mar 21, 2026 - 04:00 vuln.today
CVE Published
Mar 21, 2026 - 03:27 nvd
MEDIUM 6.5

DescriptionCVE.org

The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

AnalysisAI

The Task Manager plugin for WordPress contains an arbitrary file read vulnerability in the callback_get_text_from_url() function that allows authenticated attackers with Subscriber-level privileges and above to read sensitive files from the server. This information disclosure vulnerability affects all versions up to and including 3.0.2 of the eoxia Task Manager plugin. The vulnerability has a CVSS score of 6.5 and presents moderate real-world risk due to its low attack complexity and the prevalence of WordPress installations, though exploitation requires valid user credentials.

Technical ContextAI

The vulnerability exists in the callback_get_text_from_url() function within the Task Manager plugin's import action module (specifically in module/import/action/class-import-action.php at line 203 according to the plugin repository). The root cause is classified under CWE-73 (External Control of File Name or Path), which represents a path traversal or arbitrary file access weakness where user-supplied input is used to construct file paths without proper validation or sanitization. The affected product is identified via CPE as cpe:2.3:a:eoxia:task_manager, indicating this is an application-level vulnerability in a WordPress plugin rather than a core WordPress issue. The vulnerability allows unauthenticated-equivalent access through low-privileged user accounts, making it particularly dangerous in multi-user WordPress environments where subscriber accounts are commonly created.

RemediationAI

The primary remediation is to upgrade the Task Manager plugin to a patched version newer than 3.0.2 immediately through the WordPress dashboard (Plugins > Updates) or via https://wordpress.org/plugins/task-manager/. If an immediate patch is not available, disable the plugin entirely by navigating to Plugins > Installed Plugins and deactivating Task Manager until an update is released. As an interim mitigation, restrict user registration and audit existing subscriber accounts to remove unnecessary low-privileged accounts, reducing the attack surface. Additionally, implement security hardening through a web application firewall (WAF) configured to detect and block path traversal patterns in URL parameters, restrict file system permissions on the WordPress installation to least-privilege principles, and monitor access logs for suspicious patterns related to file inclusion attempts. Consult Wordfence threat intelligence at https://www.wordfence.com/threat-intel/vulnerabilities/id/cd959968-d3f0-4546-8fc6-eb451b417f0d for additional guidance and indicators of compromise.

CVE-2016-10045 CRITICAL POC
9.8 Dec 30

The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-5084 CRITICAL POC
9.8 May 23

The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

CVE-2020-36847 CRITICAL POC
9.8 Jul 12

The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner

CVE-2025-11749 CRITICAL POC
9.8 Nov 05

The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint

CVE-2016-1209 CRITICAL POC
9.8 May 14

The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via

CVE-2024-4443 CRITICAL POC
9.8 May 22

The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based

CVE-2024-1698 CRITICAL POC
9.8 Feb 27

SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a

CVE-2023-6875 CRITICAL POC
9.8 Jan 11

The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i

CVE-2024-1512 CRITICAL POC
9.8 Feb 17

The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base

CVE-2024-3495 CRITICAL POC
9.8 May 22

The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete

Share

CVE-2026-2351 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy