CVE-2026-4004

Name of the Vulnerable Software and Affected Versions WordPress Task Manager plugin versions up to and including 3.0.2

Description The Task Manager plugin for WordPress is susceptible to arbitrary shortcode execution through the 'search' AJAX action. This occurs because of missing capability checks within the callback search() function and inadequate input validation. Specifically, shortcode syntax can bypass sanitize text field() and is then incorporated into a do shortcode() call. This allows authenticated attackers with Subscriber-level access or higher to execute arbitrary shortcodes on the site by injecting shortcode syntax into parameters such as task id, point id, categories id, or term. The vulnerable API endpoint is '/wp-admin/admin-ajax.php'.

Recommendations Update WordPress Task Manager plugin to a version later than 3.0.2.