Task Manager Plugin for WordPress Can Let Attackers Execute Malicious Code

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

6.5

Task Manager Plugin for WordPress Can Let Attackers Execute Malicious Code

CVE-2026-4004

Summary

The Task Manager plugin for WordPress is vulnerable to attacks from authenticated users with Subscriber-level access or higher, allowing them to execute malicious code on the site. This can happen if attackers inject malicious code into certain parameters. To protect your site, update to a version of the Task Manager plugin that is not vulnerable.

Original title

Original description

The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search' AJAX action in all versions up to, and including, 3.0.2. This is due to missing capability checks in the callback_search() function and insufficient input validation that allows shortcode syntax (square brackets) to pass through sanitize_text_field() and be concatenated into a do_shortcode() call. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes on the site by injecting shortcode syntax into parameters like 'task_id', 'point_id', 'categories_id', or 'term'.

nvd CVSS3.1 6.5

Vulnerability type

CWE-94 Code Injection

Published: 21 Mar 2026 · Updated: 21 Mar 2026 · First seen: 21 Mar 2026