Platform
wordpress
Component
task-manager
Opgelost in
3.0.3
CVE-2026-4004 describes a vulnerability in the WordPress Task Manager plugin that allows for arbitrary shortcode execution. This occurs because of inadequate input validation and missing capability checks within the plugin's AJAX functionality. The vulnerability affects versions from 0.0.0 up to and including 3.0.2, and a fix is available in version 3.0.3.
An authenticated attacker, requiring Subscriber-level access or higher, can exploit this vulnerability to execute arbitrary shortcodes on a WordPress site. This can lead to a wide range of malicious actions, including defacing the website, injecting malicious content, or even gaining further access to the system. The ability to execute arbitrary shortcodes bypasses standard WordPress security measures and can have a significant impact on site integrity and user data. This vulnerability is particularly concerning because it allows for code execution within the context of the WordPress environment.
CVE-2026-4004 was publicly disclosed on 2026-03-21. Currently, there are no known public exploits or active campaigns targeting this vulnerability. It is not listed on the CISA KEV catalog. The vulnerability's reliance on authenticated access suggests that exploitation would likely require targeted attacks against WordPress sites using the Task Manager plugin.
WordPress sites utilizing the Task Manager plugin, particularly those with a large number of users with Subscriber-level access or higher, are at risk. Shared hosting environments where multiple WordPress installations share the same server resources are also potentially vulnerable, as an attacker compromising one site could potentially exploit this vulnerability to gain access to others.
• wordpress / composer / npm:
grep -r 'callback_search()' /var/www/html/wp-content/plugins/task-manager/• wordpress / composer / npm:
wp plugin list | grep 'task-manager'• wordpress / composer / npm:
wp plugin update task-manager --alldisclosure
Exploit Status
EPSS
0.05% (16% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-4004 is to immediately upgrade the WordPress Task Manager plugin to version 3.0.3 or later. If upgrading is not immediately feasible, consider temporarily disabling the 'search' AJAX action within the plugin to prevent exploitation. While not a complete solution, this can reduce the attack surface. Web application firewalls (WAFs) configured to detect and block shortcode injection attempts can also provide an additional layer of protection. Review WordPress user roles and permissions to ensure that Subscriber-level users have the minimum necessary privileges.
Geen bekende patch beschikbaar. Bestudeer de details van de kwetsbaarheid grondig en pas mitigaties toe op basis van de risicotolerantie van uw organisatie. Het kan het beste zijn om de getroffen software te verwijderen en een vervanging te vinden.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-4004 is a medium severity vulnerability in the WordPress Task Manager plugin allowing authenticated attackers to execute arbitrary shortcodes due to insufficient input validation.
You are affected if you are using WordPress Task Manager versions 0.0.0 through 3.0.2. Check your plugin version and upgrade immediately if vulnerable.
Upgrade the WordPress Task Manager plugin to version 3.0.3 or later. As a temporary workaround, disable the 'search' AJAX action within the plugin.
Currently, there are no known public exploits or active campaigns targeting CVE-2026-4004, but it's crucial to apply the patch promptly.
Refer to the WordPress Task Manager plugin's official website or the WordPress.org plugin repository for the latest advisory and update information.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.