{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-4128", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2026-03-13T14:11:25.304Z", "datePublished": "2026-04-22T07:45:35.777Z", "dateUpdated": "2026-04-22T07:45:35.777Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-22T07:45:35.777Z"}, "affected": [{"vendor": "tplugins", "product": "TP Restore Categories And Taxonomies", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.0.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete_term() function, which handles the 'tpmcattt_delete_term' AJAX action, does not perform any capability check (e.g., current_user_can()) to verify the user has sufficient permissions. While it does verify a nonce via check_ajax_referer(), this nonce is generated for all authenticated users via the admin_enqueue_scripts hook and exposed on any wp-admin page (including profile.php, which subscribers can access). This makes it possible for authenticated attackers, with Subscriber-level access and above, to permanently delete taxonomy term records from the plugin's trash/backup tables by sending a crafted AJAX request with a valid nonce and an arbitrary term_id."}], "title": "TP Restore Categories And Taxonomies <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Taxonomy Deletion via 'tpmcattt_delete_term' AJAX Action", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53a0749f-86e9-4f62-9de2-a6759c78ba2f?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/trunk/admin/class-tp-move-categories-and-taxonomies-to-trash-admin.php#L474"}, {"url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/tags/1.0.1/admin/class-tp-move-categories-and-taxonomies-to-trash-admin.php#L474"}, {"url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/trunk/includes/class-tp-move-categories-and-taxonomies-to-trash.php#L169"}, {"url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/tags/1.0.1/includes/class-tp-move-categories-and-taxonomies-to-trash.php#L169"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Nabil Irawan"}], "timeline": [{"time": "2026-04-21T19:08:29.000Z", "lang": "en", "value": "Disclosed"}]}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete_term() function, which handles the 'tpmcattt_delete_term' AJAX action, does not perform any capability check (e.g., current_user_can()) to verify the user has sufficient permissions. While it does verify a nonce via check_ajax_referer(), this nonce is generated for all authenticated users via the admin_enqueue_scripts hook and exposed on any wp-admin page (including profile.php, which subscribers can access). This makes it possible for authenticated attackers, with Subscriber-level access and above, to permanently delete taxonomy term records from the plugin's trash/backup tables by sending a crafted AJAX request with a valid nonce and an arbitrary term_id."}], "id": "CVE-2026-4128", "lastModified": "2026-04-22T09:16:23.930", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2026-04-22T09:16:23.930", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/tags/1.0.1/admin/class-tp-move-categories-and-taxonomies-to-trash-admin.php#L474"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/tags/1.0.1/includes/class-tp-move-categories-and-taxonomies-to-trash.php#L169"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/trunk/admin/class-tp-move-categories-and-taxonomies-to-trash-admin.php#L474"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/tp-restore-categories-and-taxonomies/trunk/includes/class-tp-move-categories-and-taxonomies-to-trash.php#L169"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/53a0749f-86e9-4f62-9de2-a6759c78ba2f?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T09:26:06.467778+00:00", "value": {"mitigation_remediation": ["Upgrade the TP Restore Categories And Taxonomies plugin to a version that implements a capability check for taxonomy deletion actions.", "If an upgrade is not immediately possible, disable or remove the tpmcattt_delete_term AJAX handler for Subscriber and lower roles, ensuring that only administrators can trigger delete operations.", "Reduce the permissions granted to Subscriber users by revoking their ability to access or view pages that expose the AJAX nonce, such as profile.php, or by configuring role\u2011based access control to limit their access to wp-admin."], "summary": {"action": "Apply patch", "impact": "Unauthorized deletion of taxonomy terms via missing authorization checks"}, "threat_synthesis": {"affected_systems": "This issue affects the WordPress plugin TP Restore Categories And Taxonomies in all releases up to and including version 1.0.1. Users running any of these versions on a WordPress installation are potentially exposed to the vulnerability.", "description_and_impact": "The TP Restore Categories And Taxonomies plugin for WordPress fails to enforce sufficient permissions when processing the tpmcattt_delete_term AJAX action. Although a nonce is verified, it is generated for all authenticated users and can be retrieved from any wp-admin page, including those accessible by Subscribers. Consequently, authorized users with Subscriber or higher privileges can send a crafted request to permanently delete taxonomy terms from the plugin\u2019s backup tables, effectively removing categorized content without appropriate approval.", "risk_and_exploitability": "The CVSS score of 4.3 places this vulnerability in the moderate range. No EPSS data is available and it is not listed in the CISA KEV catalog. An attacker needs only a valid subscriber\u2011level account and the ability to interact with the site's wp-admin area to obtain the nonce, after which a simple AJAX request can delete taxonomy records. The lack of a capability check and the universal availability of the nonce make exploitation straightforward for any authenticated user."}}}}, "created": "2026-04-22T09:30:13.555178+00:00", "updated": "2026-04-22T09:30:13.555190+00:00", "vendors": []}