प्लेटफ़ॉर्म
wordpress
घटक
task-manager
में ठीक किया गया
3.0.3
CVE-2026-4004 describes a vulnerability in the WordPress Task Manager plugin that allows for arbitrary shortcode execution. This occurs because of inadequate input validation and missing capability checks within the plugin's AJAX functionality. The vulnerability affects versions from 0.0.0 up to and including 3.0.2, and a fix is available in version 3.0.3.
An authenticated attacker, requiring Subscriber-level access or higher, can exploit this vulnerability to execute arbitrary shortcodes on a WordPress site. This can lead to a wide range of malicious actions, including defacing the website, injecting malicious content, or even gaining further access to the system. The ability to execute arbitrary shortcodes bypasses standard WordPress security measures and can have a significant impact on site integrity and user data. This vulnerability is particularly concerning because it allows for code execution within the context of the WordPress environment.
CVE-2026-4004 was publicly disclosed on 2026-03-21. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog. The vulnerability's reliance on authenticated access suggests that exploitation would likely require targeted attacks against WordPress sites using the Task Manager plugin.
WordPress sites utilizing the Task Manager plugin, particularly those with a large number of users with Subscriber-level access or higher, are at risk. Shared hosting environments where multiple WordPress installations share the same server resources are also potentially vulnerable, as an attacker compromising one site could potentially exploit this vulnerability to gain access to others.
• wordpress / composer / npm:
grep -r 'callback_search()' /var/www/html/wp-content/plugins/task-manager/• wordpress / composer / npm:
wp plugin list | grep 'task-manager'• wordpress / composer / npm:
wp plugin update task-manager --alldisclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (16% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-4004 is to immediately upgrade the WordPress Task Manager plugin to version 3.0.3 or later. If upgrading is not immediately feasible, consider temporarily disabling the 'search' AJAX action within the plugin to prevent exploitation. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block shortcode injection attempts can also provide an additional layer of protection. Review WordPress user roles and permissions to ensure that Subscriber-level users have the minimum necessary privileges.
कोई ज्ञात पैच उपलब्ध नहीं है। कृपया इस भेद्यता के विवरण की गहराई से समीक्षा करें और अपने संगठन के जोखिम सहनशीलता के आधार पर शमन उपाय करें। प्रभावित सॉफ़्टवेयर को अनइंस्टॉल करना और प्रतिस्थापन खोजना सबसे अच्छा हो सकता है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-4004 is a medium severity vulnerability in the WordPress Task Manager plugin allowing authenticated attackers to execute arbitrary shortcodes due to insufficient input validation.
You are affected if you are using WordPress Task Manager versions 0.0.0 through 3.0.2. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the WordPress Task Manager plugin to version 3.0.3 or later. As a temporary workaround, disable the 'search' AJAX action within the plugin.
Currently, there are no known public exploits or active campaigns targeting CVE-2026-4004, but it's crucial to apply the patch promptly.
Refer to the WordPress Task Manager plugin's official website or the WordPress.org plugin repository for the latest advisory and update information.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।