CVE-2026-4004

The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search' AJAX action in all versions up to, and including, 3.0.2. This is due to missing capability checks in the callback_search() function and insufficient input validation that allows shortcode syntax (square brackets) to pass through sanitize_text_field() and be concatenated into a do_shortcode() call. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes on the site by injecting shortcode syntax into parameters like 'task_id', 'point_id', 'categories_id', or 'term'.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://plugins.trac.wordpress.org/browser/task-manager/tags/3.0.2/module/navigation/action/navigation.action.php#L29
https://plugins.trac.wordpress.org/browser/task-manager/tags/3.0.2/module/navigation/action/navigation.action.php#L46
https://plugins.trac.wordpress.org/browser/task-manager/tags/3.0.2/module/navigation/action/navigation.action.php#L75
https://plugins.trac.wordpress.org/browser/task-manager/trunk/module/navigation/action/navigation.action.php#L29
https://plugins.trac.wordpress.org/browser/task-manager/trunk/module/navigation/action/navigation.action.php#L46
https://plugins.trac.wordpress.org/browser/task-manager/trunk/module/navigation/action/navigation.action.php#L75
https://www.wordfence.com/threat-intel/vulnerabilities/id/e3a902a6-c16f-4e0a-a13a-defb93754c92?source=cve

Configurations

No configuration.

History

No history.

Information

Published : 2026-03-21 04:17

Updated : 2026-03-23 14:32

NVD link : CVE-2026-4004

Mitre link : CVE-2026-4004

CVE.ORG link : CVE-2026-4004

JSON object : View

Products Affected

No product.

CWE

CWE-94

Improper Control of Generation of Code ('Code Injection')

{"id": "CVE-2026-4004", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "security@wordfence.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 2.5, "exploitabilityScore": 3.9}]}, "published": "2026-03-21T04:17:39.033", "references": [{"url": "https://plugins.trac.wordpress.org/browser/task-manager/tags/3.0.2/module/navigation/action/navigation.action.php#L29", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/task-manager/tags/3.0.2/module/navigation/action/navigation.action.php#L46", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/task-manager/tags/3.0.2/module/navigation/action/navigation.action.php#L75", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/task-manager/trunk/module/navigation/action/navigation.action.php#L29", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/task-manager/trunk/module/navigation/action/navigation.action.php#L46", "source": "security@wordfence.com"}, {"url": "https://plugins.trac.wordpress.org/browser/task-manager/trunk/module/navigation/action/navigation.action.php#L75", "source": "security@wordfence.com"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e3a902a6-c16f-4e0a-a13a-defb93754c92?source=cve", "source": "security@wordfence.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Primary", "source": "security@wordfence.com", "description": [{"lang": "en", "value": "CWE-94"}]}], "descriptions": [{"lang": "en", "value": "The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search' AJAX action in all versions up to, and including, 3.0.2. This is due to missing capability checks in the callback_search() function and insufficient input validation that allows shortcode syntax (square brackets) to pass through sanitize_text_field() and be concatenated into a do_shortcode() call. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes on the site by injecting shortcode syntax into parameters like 'task_id', 'point_id', 'categories_id', or 'term'."}, {"lang": "es", "value": "El plugin Task Manager para WordPress es vulnerable a la ejecuci\u00f3n arbitraria de shortcodes a trav\u00e9s de la acci\u00f3n AJAX 'search' en todas las versiones hasta la 3.0.2, inclusive. Esto se debe a la falta de comprobaciones de capacidad en la funci\u00f3n callback_search() y a una validaci\u00f3n de entrada insuficiente que permite que la sintaxis de shortcode (corchetes) pase a trav\u00e9s de sanitize_text_field() y se concatene en una llamada a do_shortcode(). Esto hace posible que atacantes autenticados, con acceso de nivel Suscriptor y superior, ejecuten shortcodes arbitrarios en el sitio inyectando sintaxis de shortcode en par\u00e1metros como 'task_id', 'point_id', 'categories_id' o 'term'."}], "lastModified": "2026-03-23T14:32:02.800", "sourceIdentifier": "security@wordfence.com"}