What the vulnerability does
01Description
The Task Manager plugin for WordPress is vulnerable to Arbitrary File Read in all versions up to, and including, 3.0.2 via the callback_get_text_from_url() function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information.
Explanation of Vulnerability in Simple Terms
02Summary
Eoxia Task Manager versions 3.0.2 and earlier contain an information disclosure vulnerability. An authenticated user with low privileges can read sensitive data they should not have access to. The vulnerability requires network access and valid login credentials but no user interaction. No integrity or availability impact.
What an attacker can do
03Attacker Capabilities
Read sensitive data belonging to other users or the system.
Potential impact on your site
04Site Impact
User data privacy breach; authenticated users can access confidential information beyond their role.
Conditions required to exploit
05Prerequisites
Valid login account with low or standard user privileges.
Key dates
06Disclosure timeline
March 21, 2026
CVE published
April 8, 2026
Record updated