CVE-2026-2351 is an arbitrary file read vulnerability identified in the eoxia Task Manager plugin for WordPress, affecting all versions up to and including 3.0.2. The flaw exists in the callback_get_text_from_url() function, which improperly handles external input controlling file names or paths, classified under CWE-73 (External Control of File Name or Path). Authenticated attackers with as low as Subscriber-level privileges can exploit this vulnerability to read arbitrary files on the hosting server. This can lead to disclosure of sensitive information such as configuration files, credentials, or other private data stored on the server. The vulnerability does not require user interaction beyond authentication, and the attack vector is network-based, making it remotely exploitable. The CVSS v3.1 base score is 6.5, reflecting medium severity with high confidentiality impact but no impact on integrity or availability. No patches or fixes have been released at the time of reporting, and no known exploits have been observed in the wild. The vulnerability highlights the risk of insufficient input validation and access control in WordPress plugins, especially those that handle file operations based on user-supplied data.

The primary impact of this vulnerability is unauthorized disclosure of sensitive server files, which can compromise confidentiality. Attackers could access configuration files, database credentials, or other sensitive data that may facilitate further attacks such as privilege escalation, lateral movement, or data exfiltration. Since the vulnerability requires only low-level authenticated access, it increases risk from compromised or malicious low-privilege accounts. Organizations running WordPress sites with the eoxia Task Manager plugin are at risk of data breaches, loss of customer trust, and potential regulatory penalties if sensitive data is exposed. The vulnerability does not affect system integrity or availability directly but can be a stepping stone for more damaging attacks. The lack of a patch increases exposure time, and the widespread use of WordPress globally means many organizations could be affected.

Until an official patch is released, organizations should implement strict access controls to limit Subscriber-level and higher accounts to trusted users only. Review and audit user accounts to remove or disable unnecessary low-privilege accounts. Employ web application firewalls (WAFs) with custom rules to detect and block suspicious requests targeting the callback_get_text_from_url() function or unusual file path parameters. Monitor server logs for anomalous file access patterns indicative of exploitation attempts. Consider temporarily disabling or removing the eoxia Task Manager plugin if it is not essential. Keep WordPress core and all plugins updated, and subscribe to vendor advisories for timely patch releases. Additionally, implement file system permissions to restrict web server access to sensitive files where possible, reducing the impact of arbitrary file reads.