Platform
wordpress
Component
task-manager
Fixed in
3.0.3
CVE-2026-4004 describes a vulnerability in the WordPress Task Manager plugin that allows for arbitrary shortcode execution. This occurs because of inadequate input validation and missing capability checks within the plugin's AJAX functionality. The vulnerability affects versions from 0.0.0 up to and including 3.0.2, and a fix is available in version 3.0.3.
An authenticated attacker, requiring Subscriber-level access or higher, can exploit this vulnerability to execute arbitrary shortcodes on a WordPress site. This can lead to a wide range of malicious actions, including defacing the website, injecting malicious content, or even gaining further access to the system. The ability to execute arbitrary shortcodes bypasses standard WordPress security measures and can have a significant impact on site integrity and user data. This vulnerability is particularly concerning because it allows for code execution within the context of the WordPress environment.
CVE-2026-4004 was publicly disclosed on 2026-03-21. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog. The vulnerability's reliance on authenticated access suggests that exploitation would likely require targeted attacks against WordPress sites using the Task Manager plugin.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-4004 is to immediately upgrade the WordPress Task Manager plugin to version 3.0.3 or later. If upgrading is not immediately feasible, consider temporarily disabling the 'search' AJAX action within the plugin to prevent exploitation. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block shortcode injection attempts can also provide an additional layer of protection. Review WordPress user roles and permissions to ensure that Subscriber-level users have the minimum necessary privileges.
No known patch available. Please review the vulnerability's details in depth and employ mitigations based on your organization's risk tolerance. It may be best to uninstall the affected software and find a replacement.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-4004 is a medium severity vulnerability in the WordPress Task Manager plugin allowing authenticated attackers to execute arbitrary shortcodes due to insufficient input validation.
You are affected if you are using WordPress Task Manager versions 0.0.0 through 3.0.2. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the WordPress Task Manager plugin to version 3.0.3 or later. As a temporary workaround, disable the 'search' AJAX action within the plugin.
Currently, there are no known public exploits or active campaigns targeting CVE-2026-4004, but it's crucial to apply the patch promptly.
Refer to the WordPress Task Manager plugin's official website or the WordPress.org plugin repository for the latest advisory and update information.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.