Task Manager WordPress Plugin Shortcode Execution Vulnerability

A vulnerability in the Task Manager plugin for WordPress allows authenticated users with Subscriber-level access and above to execute arbitrary shortcodes. This issue is present in all versions of the plugin up to and including 3.0.2. The vulnerability arises from missing capability checks and inadequate input validation in the 'callback_search()' function, which enables shortcode syntax to bypass sanitization and be executed on the site. Exploitation can be achieved by injecting shortcode syntax into several parameters, including 'task_id', 'point_id', 'categories_id', or 'term'.

Impact

Successful exploitation of this vulnerability allows for arbitrary shortcode execution on the affected WordPress site.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'search' AJAX action. The request must include one of the vulnerable parameters, such as 'task_id', 'point_id', 'categories_id', or 'term', with injected shortcode syntax. The 'callback_search()' function will process the request, fail to properly sanitize the shortcode syntax, and execute it via the 'do_shortcode()' function, thereby exploiting the vulnerability.

Remediation

No known patch is available for this vulnerability. Users are advised to review the vulnerability details and consider uninstalling the affected plugin.