CVE-2026-4128

The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The delete term() function, which handles the 'tpmcattt delete term' AJAX action, does not perform any capability check (e.g., current user can()) to verify the user has sufficient permissions. While it does verify a nonce via check ajax referer(), this nonce is generated for all authenticated users via the admin enqueue scripts hook and exposed on any wp-admin page (including profile.php, which subscribers can access). This makes it possible for authenticated attackers, with Subscriber-level access and above, to permanently delete taxonomy term records from the plugin's trash/backup tables by sending a crafted AJAX request with a valid nonce and an arbitrary term id.