CVE-2026-4004
Task Manager <= 3.0.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'task_id' Parameter
Vexday Risk Score
13Low
SSVC decision (CISA)
Track
No exploitation signal → monitor
CVSS 6.5EPSS 0.3%KEV nãoPoC —Nuclei —Metasploit —Patch —
Lifecycle
21 Mar 2026Published on NVD
Recommendation: Monitor — no exploitation signal at the moment.
The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search' AJAX action in all versions up to, and including, 3.0.2. This is due to missing capability checks in the callback_search() function and insufficient input validation that allows shortcode syntax (square brackets) to pass through sanitize_text_field() and be concatenated into a do_shortcode() call. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes on the site by injecting shortcode syntax into parameters like 'task_id', 'point_id', 'categories_id', or 'term'.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Affected products
eoxia · Task ManagerWant to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://plugins.trac.wordpress.org/browser/task-manager/tags/3.0.2/module/navigation/action/navigation.action.php#L29https://plugins.trac.wordpress.org/browser/task-manager/tags/3.0.2/module/navigation/action/navigation.action.php#L46https://plugins.trac.wordpress.org/browser/task-manager/tags/3.0.2/module/navigation/action/navigation.action.php#L75https://plugins.trac.wordpress.org/browser/task-manager/trunk/module/navigation/action/navigation.action.php#L29https://plugins.trac.wordpress.org/browser/task-manager/trunk/module/navigation/action/navigation.action.php#L46https://plugins.trac.wordpress.org/browser/task-manager/trunk/module/navigation/action/navigation.action.php#L75https://www.wordfence.com/threat-intel/vulnerabilities/id/e3a902a6-c16f-4e0a-a13a-defb93754c92?source=cve