CVE-2026-2351 in Task Manager Plugin
Summary
by MITRE • 03/21/2026
The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/21/2026
The Task Manager plugin for WordPress presents a critical arbitrary file read vulnerability identified as CVE-2026-2351 affecting all versions through 3.0.2. This vulnerability stems from improper input validation within the callback_get_text_from_url() function which fails to adequately sanitize user-supplied parameters. The flaw allows authenticated attackers holding Subscriber-level privileges or higher to exploit this weakness and access arbitrary files on the affected server. The vulnerability represents a significant security risk as it bypasses normal access controls and can potentially expose sensitive system information including configuration files, database credentials, and other confidential data that may be stored within the WordPress installation directory structure.
The technical implementation of this vulnerability falls under CWE-22 which specifically addresses Improper Limitation of a Pathname to a Restricted Directory. The callback_get_text_from_url() function appears to process file paths without proper validation or sanitization, allowing malicious users to manipulate input parameters to traverse the file system and access files outside of the intended directory boundaries. Attackers can leverage this functionality to read sensitive files such as wp-config.php containing database credentials, .htaccess files with server configurations, or other system files that may contain authentication tokens or other confidential information. This vulnerability operates at the application level and does not require elevated privileges beyond what is already granted to subscribers, making it particularly dangerous as it can be exploited by users who have minimal access rights.
The operational impact of CVE-2026-2351 extends beyond simple information disclosure as it can enable attackers to gather intelligence for further exploitation attempts. Once an attacker successfully reads sensitive files, they can extract database connection strings, encryption keys, or other credentials that may allow them to escalate privileges or gain access to additional systems. This vulnerability can also facilitate privilege escalation attacks where attackers use the read access to identify system vulnerabilities or misconfigurations that could lead to full system compromise. The attack vector is particularly concerning because it requires minimal user interaction and can be executed through standard WordPress administrative interfaces, making it difficult to detect and trace.
Security mitigation strategies for this vulnerability should include immediate patching of the Task Manager plugin to version 3.0.3 or later where the file read functionality has been properly secured. Organizations should implement strict input validation and sanitization measures to prevent path traversal attacks, ensuring that all file access operations validate and restrict input parameters to prevent directory traversal. Network segmentation and access control measures should be enforced to limit the impact of potential exploitation attempts, while monitoring systems should be configured to detect unusual file access patterns or attempts to read sensitive system files. Additionally, implementing the principle of least privilege and regularly auditing user permissions can help reduce the risk of unauthorized access through this vulnerability. The ATT&CK framework categorizes this as a privilege escalation technique under T1068, where attackers leverage application vulnerabilities to gain elevated access rights and system information disclosure.