CVE-2026-4004: CWE-94 Improper Control of Generation of Code ('Code Injection') in eoxia Task Manager
The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search' AJAX action in all versions up to, and including, 3.0.2. This is due to missing capability checks in the callback_search() function and insufficient input validation that allows shortcode syntax (square brackets) to pass through sanitize_text_field() and be concatenated into a do_shortcode() call. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes on the site by injecting shortcode syntax into parameters like 'task_id', 'point_id', 'categories_id', or 'term'.
AI Analysis
Technical Summary
CVE-2026-4004 is a code injection vulnerability in the eoxia Task Manager WordPress plugin affecting all versions up to 3.0.2. The issue arises from missing capability checks in the callback_search() function and inadequate sanitization that permits shortcode syntax (square brackets) to bypass sanitize_text_field(). This input is then concatenated into a do_shortcode() call, enabling authenticated attackers with Subscriber-level privileges or higher to execute arbitrary shortcodes by injecting shortcode syntax into parameters such as 'task_id', 'point_id', 'categories_id', or 'term'.
Potential Impact
An attacker with at least Subscriber-level access can execute arbitrary shortcodes on the affected WordPress site, potentially leading to unauthorized actions or information disclosure depending on the shortcodes executed. The vulnerability does not require user interaction and has a network attack vector. The CVSS score of 6.5 reflects a medium severity impact with limited confidentiality and integrity impact and no availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Subscriber-level access where possible and monitor for suspicious shortcode usage in AJAX requests related to the 'search' action. Avoid granting unnecessary privileges to users and consider disabling or replacing the affected plugin if feasible.
CVE-2026-4004: CWE-94 Improper Control of Generation of Code ('Code Injection') in eoxia Task Manager
Description
The Task Manager plugin for WordPress is vulnerable to arbitrary shortcode execution via the 'search' AJAX action in all versions up to, and including, 3.0.2. This is due to missing capability checks in the callback_search() function and insufficient input validation that allows shortcode syntax (square brackets) to pass through sanitize_text_field() and be concatenated into a do_shortcode() call. This makes it possible for authenticated attackers, with Subscriber-level access and above, to execute arbitrary shortcodes on the site by injecting shortcode syntax into parameters like 'task_id', 'point_id', 'categories_id', or 'term'.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-4004 is a code injection vulnerability in the eoxia Task Manager WordPress plugin affecting all versions up to 3.0.2. The issue arises from missing capability checks in the callback_search() function and inadequate sanitization that permits shortcode syntax (square brackets) to bypass sanitize_text_field(). This input is then concatenated into a do_shortcode() call, enabling authenticated attackers with Subscriber-level privileges or higher to execute arbitrary shortcodes by injecting shortcode syntax into parameters such as 'task_id', 'point_id', 'categories_id', or 'term'.
Potential Impact
An attacker with at least Subscriber-level access can execute arbitrary shortcodes on the affected WordPress site, potentially leading to unauthorized actions or information disclosure depending on the shortcodes executed. The vulnerability does not require user interaction and has a network attack vector. The CVSS score of 6.5 reflects a medium severity impact with limited confidentiality and integrity impact and no availability impact reported.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, restrict Subscriber-level access where possible and monitor for suspicious shortcode usage in AJAX requests related to the 'search' action. Avoid granting unnecessary privileges to users and consider disabling or replacing the affected plugin if feasible.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2026-03-11T18:54:27.040Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69be1811f4197a8e3b7843f7
Added to database: 3/21/2026, 4:01:21 AM
Last enriched: 4/9/2026, 11:36:16 AM
Last updated: 5/2/2026, 3:46:30 PM
Views: 41
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.