CVE-2026-2351
MEDIUM
NVD
CVSS Score
6.5
Severity
MEDIUM
Published
Mar 21, 2026
Vendor
unknown
Description
The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
References
- https://plugins.trac.wordpress.org/browser/task-manager/tags/3.0.2/module/import/action/class-import-action.php#L203
- https://plugins.trac.wordpress.org/browser/task-manager/trunk/module/import/action/class-import-action.php#L203
- https://wordpress.org/plugins/task-manager/
- https://www.wordfence.com/threat-intel/vulnerabilities/id/cd959968-d3f0-4546-8fc6-eb451b417f0d?source=cve