Attack Vectors

Task Manager (WordPress plugin slug: task-manager) is affected by CVE-2026-2351, a Medium severity issue (CVSS 6.5; vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N).

The vulnerability is exploitable by an authenticated user with Subscriber-level access or higher. In practical business terms, this means any compromised low-privilege account (or an intentionally created low-privilege account) could be used as a stepping-stone to access sensitive server-side information.

Because the attack is performed over the network and does not require user interaction, organizations should treat this as a realistic risk when they allow public registration, run membership programs, provide customer portals, or have many internal WordPress accounts.

Security Weakness

Task Manager is vulnerable to arbitrary file read in versions up to and including 3.0.2 via the callback_get_text_from_url() function. This weakness can allow an authenticated attacker to read the contents of files on the server that should not be accessible through WordPress.

Arbitrary file read vulnerabilities are especially concerning because they can expose information that supports broader compromise, such as configuration details, environment settings, credentials, API keys, and other sensitive data stored on the server.

No vendor patch is currently known. From a risk-management standpoint, this elevates the importance of compensating controls (and often replacement) rather than waiting for a fix.

Technical or Business Impacts

Data exposure risk: The CVSS confidentiality impact is rated High, meaning sensitive information could be exposed if an attacker reads files containing secrets or internal configuration. This can create downstream risk beyond WordPress, including access to third-party services connected to your site.

Account and platform takeover enablement: While this specific issue is “read-only” (integrity and availability are not the primary impacts in the CVSS rating), exposed secrets can be used to pivot into other systems or elevate privileges elsewhere (e.g., cloud services, email platforms, analytics tools, payment-related systems) depending on what your environment stores on the server.

Compliance and contractual exposure: Unauthorized access to sensitive information can trigger incident response obligations, customer notifications, and audit findings—particularly for organizations with regulatory requirements or strict vendor security clauses.

Business continuity and brand impact: Even without direct defacement or downtime, a confirmed data exposure event can lead to reputational damage, lost customer trust, increased support load, and unplanned spend on forensics and remediation.

Recommended action given no known patch: Consider uninstalling Task Manager (or replacing it) based on your organization’s risk tolerance. If removal is not immediately possible, reduce exposure by limiting Subscriber accounts, disabling public registration where feasible, tightening role permissions, reviewing who has access, and increasing monitoring/alerting for unusual authenticated activity. Reference: Wordfence vulnerability record. CVE record: CVE-2026-2351.

Similar Attacks

Arbitrary file read and path traversal issues are commonly exploited to expose sensitive configuration and credentials. Examples of widely cited, real-world vulnerabilities with file disclosure components include:

CVE-2021-41773 (Apache HTTP Server path traversal / file disclosure)
CVE-2020-1938 (Apache Tomcat “Ghostcat” file read/inclusion via AJP)