CVE-2025-60078
📋 TL;DR
This vulnerability allows attackers to include local files on the server through improper filename control in PHP include/require statements. It affects WordPress Task Manager plugin installations running versions up to and including 3.0.2. Attackers can potentially read sensitive files or execute arbitrary code.
💻 Affected Systems
- WordPress Task Manager plugin by Agence web Eoxia
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise, data exfiltration, or ransomware deployment
Likely Case
Sensitive file disclosure (configuration files, database credentials, user data) and limited code execution
If Mitigated
File read attempts blocked, no code execution possible
🎯 Exploit Status
Simple path traversal techniques can exploit this vulnerability
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.0.3 or later
Restart Required: No
Instructions:
1. Log into WordPress admin panel
2. Navigate to Plugins → Installed Plugins
3. Find Task Manager plugin
4. Click 'Update Now' if available
5. If no update available, download version 3.0.3+ from WordPress repository
6. Deactivate old plugin, upload new version, activate
🔧 Temporary Workarounds
Disable vulnerable plugin
allTemporarily disable the Task Manager plugin until patched
wp plugin deactivate task-manager
Restrict PHP include paths
linuxConfigure PHP to restrict include/require to specific directories
php_admin_value open_basedir /var/www/html
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block path traversal patterns
- Restrict file system permissions for web server user to read-only for necessary directories
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Task Manager version. If version is 3.0.2 or lower, system is vulnerable.Check Version:
wp plugin get task-manager --field=versionVerify Fix Applied:
Confirm Task Manager plugin version is 3.0.3 or higher in WordPress admin panel.📡 Detection & Monitoring
Log Indicators:
- Unusual file access patterns in web server logs
- PHP include/require errors with path traversal patterns
- Requests containing '../' or similar directory traversal sequences
Network Indicators:
- HTTP requests with file path parameters containing traversal sequences
- Unusual file extensions in URL parameters
SIEM Query:
source="web_access.log" AND (uri="*../*" OR uri="*..%2f*" OR uri="*..%5c*") AND uri="*task-manager*"