CVE-2026-4128 Overview
A Missing Authorization vulnerability (CWE-862) has been identified in the TP Restore Categories And Taxonomies plugin for WordPress, affecting all versions up to and including 1.0.1. The vulnerability exists in the delete_term() function, which handles the tpmcattt_delete_term AJAX action. This function fails to perform any capability check using current_user_can() to verify whether the user has sufficient permissions to execute the action.
While the plugin does verify a nonce via check_ajax_referer(), this security measure is insufficient because the nonce is generated for all authenticated users through the admin_enqueue_scripts hook and exposed on any wp-admin page, including profile.php, which even Subscriber-level users can access. This allows authenticated attackers with minimal privileges to permanently delete taxonomy term records from the plugin's trash/backup tables.
Critical Impact
Authenticated users with Subscriber-level access can permanently delete taxonomy term records by exploiting the missing authorization check, potentially causing data loss and disrupting site content organization.
Affected Products
- TP Restore Categories And Taxonomies plugin for WordPress versions up to and including 1.0.1
Discovery Timeline
- 2026-04-22 - CVE CVE-2026-4128 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-4128
Vulnerability Analysis
This vulnerability represents a classic Missing Authorization flaw where the application relies solely on nonce verification without implementing proper capability checks. The core issue is the improper access control design that assumes nonce validation is sufficient for authorization, when in reality nonces only protect against Cross-Site Request Forgery (CSRF) attacks and do not verify user permissions.
The vulnerable delete_term() function processes AJAX requests to delete taxonomy terms from the plugin's backup tables. Since the nonce is made available to all authenticated users through the admin_enqueue_scripts hook on wp-admin pages accessible to Subscribers (such as profile.php), any logged-in user can obtain a valid nonce and craft malicious AJAX requests.
This broken access control pattern allows privilege escalation where Subscriber-level users can perform administrative actions that should be restricted to higher-privileged roles.
Root Cause
The root cause is the absence of capability verification in the delete_term() function. The plugin developers implemented nonce verification using check_ajax_referer(), which correctly prevents CSRF attacks. However, they failed to implement current_user_can() checks to verify that the authenticated user has the appropriate capability (such as manage_categories or delete_terms) to perform term deletion operations.
Additionally, the nonce is generated and exposed via admin_enqueue_scripts on all wp-admin pages rather than being restricted to pages where administrators with appropriate permissions would need it. This architectural flaw makes the nonce accessible to all authenticated users, including those with minimal privileges.
Attack Vector
The attack requires an authenticated WordPress user with at least Subscriber-level access. The attacker navigates to any accessible wp-admin page (such as profile.php) to obtain the valid nonce that the plugin exposes to all authenticated users. With the nonce in hand, the attacker crafts a malicious AJAX request targeting the tpmcattt_delete_term action.
The attack is network-based and requires low complexity to execute. The attacker sends the crafted AJAX request to the WordPress admin-ajax.php endpoint with the valid nonce and an arbitrary term_id parameter. Since no capability check exists, the server processes the request and permanently deletes the specified taxonomy term record from the plugin's trash/backup tables.
This vulnerability is classified as having a network attack vector, requiring low privileges and no user interaction to exploit. The impact is limited to integrity, as attackers can delete data but cannot read confidential information or cause system unavailability.
Detection Methods for CVE-2026-4128
Indicators of Compromise
- Unusual AJAX requests to admin-ajax.php with the action tpmcattt_delete_term from low-privileged user accounts
- Database audit logs showing taxonomy term deletions performed by users without appropriate administrative roles
- Unexpected deletion of records from the plugin's trash/backup taxonomy tables
- Access logs showing Subscriber or other low-privilege users repeatedly accessing wp-admin pages followed by AJAX requests
Detection Strategies
- Monitor WordPress AJAX request logs for tpmcattt_delete_term actions originating from non-administrator user sessions
- Implement database-level auditing to track DELETE operations on the plugin's taxonomy tables and correlate with user role information
- Deploy Web Application Firewall (WAF) rules to detect and alert on suspicious AJAX request patterns from authenticated users
- Review access control logs for Subscriber-level users accessing administrative functions
Monitoring Recommendations
- Enable comprehensive WordPress audit logging to capture all AJAX actions with user context
- Configure alerts for any database modifications to taxonomy-related tables by non-administrator accounts
- Implement real-time monitoring of wp-admin AJAX endpoints with anomaly detection for unusual request patterns
- Set up periodic integrity checks on taxonomy backup tables to detect unauthorized deletions
How to Mitigate CVE-2026-4128
Immediate Actions Required
- Audit your WordPress user accounts and remove unnecessary Subscriber or authenticated user access until the plugin is patched
- Consider temporarily deactivating the TP Restore Categories And Taxonomies plugin if not critical to operations
- Review database backup procedures to ensure taxonomy data can be restored if compromised
- Implement additional access controls at the web server or WAF level to restrict AJAX endpoint access
Patch Information
As of the last update on 2026-04-22, users should monitor the WordPress plugin repository for an updated version of TP Restore Categories And Taxonomies that addresses this authorization bypass. The fix should implement proper current_user_can() capability checks in the delete_term() function to verify user permissions before processing delete requests.
For additional technical details, refer to the Wordfence Vulnerability Analysis and the plugin source code at the WordPress Plugin Admin Code.
Workarounds
- Restrict WordPress user registration and remove unnecessary authenticated user accounts to minimize the attack surface
- Implement a custom code snippet or must-use plugin that adds capability checks to the vulnerable AJAX handler before the plugin is updated
- Use a WordPress security plugin to restrict AJAX endpoint access based on user roles
- Consider blocking the specific AJAX action tpmcattt_delete_term at the web server level for non-administrator users until an official patch is available
# Example: Apache .htaccess rule to restrict AJAX action access
# Add to WordPress root .htaccess (requires mod_rewrite)
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{QUERY_STRING} action=tpmcattt_delete_term [NC]
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in.*administrator [NC]
RewriteRule ^wp-admin/admin-ajax\.php$ - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
