Server-Side Request Forgery Vulnerability in Task Scheduler Plugin for WordPress
CVE-2025-10056

4.4MEDIUM

Key Information:

Vendor: WordPress
Status: Task Scheduler
Vendor: CVE Published:; 15 October 2025

What is CVE-2025-10056?

The Task Scheduler plugin for WordPress contains a Server-Side Request Forgery vulnerability due to improper handling of the 'Check Website' task feature, which is present in all versions up to and including 1.6.3. This flaw permits authenticated users with Administrator-level access or higher to initiate web requests to arbitrary internal and external resources from the web application. This exposure can ultimately lead to unauthorized querying and modification of sensitive information from internal services, posing significant security risks to websites utilizing this plugin.

Affected Version(s)

Task Scheduler * <= 1.6.3

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://wordpress.org/plugins/task-scheduler/

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 15, 2025
Vulnerability Reserved
Sep 5, 2025

Credit

Jonas Benjamin Friedli

JSON