EUVD-2026-24670CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
1DescriptionNVD
The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete_term() function, which handles the 'tpmcattt_delete_term' AJAX action, does not perform any capability check (e.g., current_user_can()) to verify the user has sufficient permissions. While it does verify a nonce via check_ajax_referer(), this nonce is generated for all authenticated users via the admin_enqueue_scripts hook and exposed on any wp-admin page (including profile.php, which subscribers can access). This makes it possible for authenticated attackers, with Subscriber-level access and above, to permanently delete taxonomy term records from the plugin's trash/backup tables by sending a crafted AJAX request with a valid nonce and an arbitrary term_id.
AnalysisAI
TP Restore Categories And Taxonomies WordPress plugin versions up to 1.0.1 lack capability checks in the delete_term() AJAX handler, allowing authenticated Subscriber-level users to permanently delete taxonomy terms from backup tables by reusing a nonce exposed to all authenticated users. The vulnerability bypasses authorization despite nonce validation, enabling low-privileged attackers to cause data loss via a simple crafted AJAX request.
Sign in for full analysis, threat intelligence, and remediation guidance.
Share
External POC / Exploit Code
Leaving vuln.today