Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4DescriptionCVE.org
The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete_term() function, which handles the 'tpmcattt_delete_term' AJAX action, does not perform any capability check (e.g., current_user_can()) to verify the user has sufficient permissions. While it does verify a nonce via check_ajax_referer(), this nonce is generated for all authenticated users via the admin_enqueue_scripts hook and exposed on any wp-admin page (including profile.php, which subscribers can access). This makes it possible for authenticated attackers, with Subscriber-level access and above, to permanently delete taxonomy term records from the plugin's trash/backup tables by sending a crafted AJAX request with a valid nonce and an arbitrary term_id.
AnalysisAI
TP Restore Categories And Taxonomies WordPress plugin versions up to 1.0.1 lack capability checks in the delete_term() AJAX handler, allowing authenticated Subscriber-level users to permanently delete taxonomy terms from backup tables by reusing a nonce exposed to all authenticated users. The vulnerability bypasses authorization despite nonce validation, enabling low-privileged attackers to cause data loss via a simple crafted AJAX request.
Technical ContextAI
The plugin registers a delete_term() function to handle the 'tpmcatpt_delete_term' AJAX action without checking user capabilities via current_user_can(). While the code does validate a nonce using check_ajax_referer(), this nonce is generated for all authenticated users during the admin_enqueue_scripts hook and exposed globally on every wp-admin page accessible to Subscriber-level roles (including profile.php). This is a classic Missing Authorization vulnerability (CWE-862) where authentication exists but authorization does not. The vulnerability affects the WordPress plugin ecosystem where role-based access control is paramount; Subscriber is the lowest privilege level above unauthenticated guests. The CPE identifier cpe:2.3:a:tplugins:tp_restore_categories_and_taxonomies:*:*:*:*:*:*:*:* confirms all versions through 1.0.1 are vulnerable.
RemediationAI
Upgrade TP Restore Categories And Taxonomies plugin to version 1.0.2 or later, which should include proper capability checks (e.g., current_user_can('manage_categories') or equivalent) before executing delete_term(). For immediate protection pending patching, restrict wp-admin access to trusted users only via WordPress role management or Web Application Firewall rules; specifically deny the 'tpmcatpt_delete_term' AJAX action from Subscriber and Contributor roles using a security plugin that can hook into wp_ajax_* actions and verify capabilities. Alternatively, deactivate the plugin if term backup/restore functionality is not actively used. Site administrators should audit deleted terms after patching to identify any unauthorized deletions during the vulnerable window. References: Wordfence vulnerability report at https://www.wordfence.com/threat-intel/vulnerabilities/id/53a0749f-86e9-4f62-9de2-a6759c78ba2f.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-24670