Description
The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete_term() function, which handles the 'tpmcattt_delete_term' AJAX action, does not perform any capability check (e.g., current_user_can()) to verify the user has sufficient permissions. While it does verify a nonce via check_ajax_referer(), this nonce is generated for all authenticated users via the admin_enqueue_scripts hook and exposed on any wp-admin page (including profile.php, which subscribers can access). This makes it possible for authenticated attackers, with Subscriber-level access and above, to permanently delete taxonomy term records from the plugin's trash/backup tables by sending a crafted AJAX request with a valid nonce and an arbitrary term_id.
Published: 2026-04-22
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized deletion of taxonomy terms via missing authorization checks
Action: Apply patch
AI Analysis

Impact

The TP Restore Categories And Taxonomies plugin for WordPress fails to enforce sufficient permissions when processing the tpmcattt_delete_term AJAX action. Although a nonce is verified, it is generated for all authenticated users and can be retrieved from any wp-admin page, including those accessible by Subscribers. Consequently, authorized users with Subscriber or higher privileges can send a crafted request to permanently delete taxonomy terms from the plugin’s backup tables, effectively removing categorized content without appropriate approval.

Affected Systems

This issue affects the WordPress plugin TP Restore Categories And Taxonomies in all releases up to and including version 1.0.1. Users running any of these versions on a WordPress installation are potentially exposed to the vulnerability.

Risk and Exploitability

The CVSS score of 4.3 places this vulnerability in the moderate range. No EPSS data is available and it is not listed in the CISA KEV catalog. An attacker needs only a valid subscriber‑level account and the ability to interact with the site's wp-admin area to obtain the nonce, after which a simple AJAX request can delete taxonomy records. The lack of a capability check and the universal availability of the nonce make exploitation straightforward for any authenticated user.

Generated by OpenCVE AI on April 22, 2026 at 09:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TP Restore Categories And Taxonomies plugin to a version that implements a capability check for taxonomy deletion actions.
  • If an upgrade is not immediately possible, disable or remove the tpmcattt_delete_term AJAX handler for Subscriber and lower roles, ensuring that only administrators can trigger delete operations.
  • Reduce the permissions granted to Subscriber users by revoking their ability to access or view pages that expose the AJAX nonce, such as profile.php, or by configuring role‑based access control to limit their access to wp-admin.

Generated by OpenCVE AI on April 22, 2026 at 09:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 22 Apr 2026 13:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Tplugins
Tplugins tp Restore Categories And Taxonomies
Wordpress
Wordpress wordpress
Vendors & Products Tplugins
Tplugins tp Restore Categories And Taxonomies
Wordpress
Wordpress wordpress

Wed, 22 Apr 2026 08:30:00 +0000

Type Values Removed Values Added
Description The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete_term() function, which handles the 'tpmcattt_delete_term' AJAX action, does not perform any capability check (e.g., current_user_can()) to verify the user has sufficient permissions. While it does verify a nonce via check_ajax_referer(), this nonce is generated for all authenticated users via the admin_enqueue_scripts hook and exposed on any wp-admin page (including profile.php, which subscribers can access). This makes it possible for authenticated attackers, with Subscriber-level access and above, to permanently delete taxonomy term records from the plugin's trash/backup tables by sending a crafted AJAX request with a valid nonce and an arbitrary term_id.
Title TP Restore Categories And Taxonomies <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Taxonomy Deletion via 'tpmcattt_delete_term' AJAX Action
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Tplugins Tp Restore Categories And Taxonomies
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-22T12:11:34.991Z

Reserved: 2026-03-13T14:11:25.304Z

Link: CVE-2026-4128

cve-icon Vulnrichment

Updated: 2026-04-22T12:11:27.226Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T09:16:23.930

Modified: 2026-04-22T20:22:50.570

Link: CVE-2026-4128

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T11:49:56Z

Weaknesses