anonhaven
Ad

CVE-2026-2351

MEDIUM CVSS 3.1: 6.5 EPSS 0.04%
Updated Mar 23, 2026
WordPress
Parameter Value
CVSS 6.5 (MEDIUM)
Type CWE-73 (External Control of File Name or Path)
Vendor WordPress
Public PoC No

The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.

Attack Parameters

Attack Vector
Network
Can be exploited remotely
Attack Complexity
Low
Easy to exploit
Privileges Required
Low
Basic privileges needed
User Interaction
None
No user interaction needed

Impact Assessment

Confidentiality
High
Complete data leak
Integrity
None
No data modification
Availability
None
No disruption

CVSS Vector v3.1

Weakness Type (CWE)

CWE-73 External Control of File Name or Path

References 4

https://plugins.trac.wordpress.org/browser/task-manager/tags/3.0.2/module/impor…
security@wordfence.com
https://plugins.trac.wordpress.org/browser/task-manager/trunk/module/import/act…
security@wordfence.com
https://wordpress.org/plugins/task-manager/
security@wordfence.com
https://www.wordfence.com/threat-intel/vulnerabilities/id/cd959968-d3f0-4546-8f…
security@wordfence.com
Share Post Share Share Share

Related Vulnerabilities

CVE-2026-6439

WordPress

4.4

CVE-2026-6451

WordPress

4.3

CVE-2026-40308

WordPress

8.8

CVE-2026-3830

Unknown

None

CVE-2026-5809

WordPress

7.1