CVE-2026-4128 MEDIUM

CVE-2026-4128: TP Restore Categories And Taxonomies <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Taxonomy Deletion via 'tpmcattt_delete_term' AJAX Action

Vendor Tplugins
Product TP Restore Categories And Taxonomies
Weakness CWE-862 · Missing authorization
Published April 22, 2026
Last update April 22, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality None
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

What the vulnerability does

01Description

The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete_term() function, which handles the 'tpmcattt_delete_term' AJAX action, does not perform any capability check (e.g., current_user_can()) to verify the user has sufficient permissions. While it does verify a nonce via check_ajax_referer(), this nonce is generated for all authenticated users via the admin_enqueue_scripts hook and exposed on any wp-admin page (including profile.php, which subscribers can access). This makes it possible for authenticated attackers, with Subscriber-level access and above, to permanently delete taxonomy term records from the plugin's trash/backup tables by sending a crafted AJAX request with a valid nonce and an arbitrary term_id.

Explanation of Vulnerability in Simple Terms

02Summary

TP Restore Categories And Taxonomies versions 1.0.1 and earlier lack proper authorization checks. A logged-in user with low privileges can modify data they should not have access to. The vulnerability affects data integrity but not confidentiality or availability. Update to a version newer than 1.0.1.

What an attacker can do

03Attacker Capabilities

Modify or alter data in the plugin without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users can alter categories, taxonomies, or related data they shouldn't access.

Conditions required to exploit

05Prerequisites

Attacker must be logged in with low-level user privileges.

Key dates

06Disclosure timeline

April 22, 2026 CVE published
April 22, 2026 Record updated