The eoxia Task Manager plugin for WordPress, versions up to and including 3.0.2, contains a code injection vulnerability identified as CVE-2026-4004 (CWE-94). The vulnerability arises from the 'search' AJAX action's callback_search() function, which lacks proper capability checks and insufficiently validates input parameters. Specifically, parameters such as 'task_id', 'point_id', 'categories_id', and 'term' accept user input that passes through sanitize_text_field(), which does not remove shortcode syntax (square brackets). This input is then concatenated into a do_shortcode() call, enabling execution of arbitrary shortcodes. Since WordPress shortcodes can execute PHP code or trigger plugin/theme functionality, this can lead to unauthorized code execution. The vulnerability requires the attacker to be authenticated with at least Subscriber-level privileges, which is a low bar in many WordPress setups. The CVSS v3.1 base score is 6.5, reflecting medium severity, with network attack vector, low attack complexity, no user interaction, and no privileges required beyond authentication. Although no public exploits are known, the flaw poses a significant risk to site integrity and confidentiality, as malicious shortcodes could be used to manipulate site content, escalate privileges, or exfiltrate data. The vulnerability affects all versions of the plugin up to 3.0.2, and no official patches have been linked yet.

This vulnerability allows authenticated low-privilege users to execute arbitrary shortcodes, which can lead to unauthorized code execution within the WordPress environment. The impact includes potential site defacement, data leakage, privilege escalation, or further compromise of the hosting server if malicious shortcodes invoke unsafe PHP functions or plugins. Since Subscriber-level access is commonly granted to registered users or commenters, many WordPress sites using this plugin are at risk. The integrity of site content and confidentiality of data can be compromised, undermining user trust and potentially violating data protection regulations. Availability impact is low as the vulnerability does not directly enable denial of service. However, successful exploitation could be a stepping stone for more severe attacks. Organizations relying on the eoxia Task Manager plugin face reputational damage and operational disruption if exploited.

To mitigate this vulnerability, organizations should immediately restrict access to the affected AJAX 'search' action by implementing strict capability checks to ensure only trusted roles can invoke it. Input validation must be enhanced to sanitize or reject any shortcode syntax before passing parameters to do_shortcode(). Until an official patch is released, administrators can disable the plugin or remove the vulnerable AJAX handler via custom code or security plugins that filter AJAX requests. Monitoring logs for suspicious shortcode patterns in AJAX requests can help detect exploitation attempts. Additionally, limiting user registrations or subscriber privileges reduces the attack surface. Applying the principle of least privilege for user roles and regularly updating WordPress and plugins when patches become available are critical. Security teams should also consider implementing Web Application Firewalls (WAFs) with rules to block shortcode injection patterns in AJAX parameters.