CVE-2026-4128

Name of the Vulnerable Software and Affected Versions TP Restore Categories And Taxonomies versions prior to 1.0.2

Description The plugin is affected by missing authorization. The delete term() function, which processes the 'tpmcattt delete term' AJAX action, fails to perform capability checks to verify if a user has the necessary permissions. Although a nonce is verified via check ajax referer(), this nonce is available to all authenticated users on any wp-admin page. Consequently, authenticated attackers with Subscriber-level access or higher can permanently delete taxonomy term records from the trash or backup tables by sending a crafted AJAX request containing a valid nonce and a specific term id.

Recommendations Update to a version later than 1.0.1. As a temporary workaround, restrict access to the delete term() function or the 'tpmcattt delete term' AJAX action to users with higher administrative privileges.