Ace Post Type Builder Missing Authorization Vulnerability Allowing Arbitrary Custom Taxonomy Deletion

A vulnerability exists in the Ace Post Type Builder plugin for WordPress, specifically in versions through 1.9. The issue arises from a lack of proper authorization checks in the 'cptb_delete_custom_taxonomy()' function, allowing authenticated users with Subscriber-level access or higher to delete any custom taxonomies. This unauthorized deletion could disrupt the organization and categorization of content within WordPress, potentially leading to data loss or confusion in content management.

Impact

Exploitation of this vulnerability allows for the unauthorized deletion of custom taxonomies, which could disrupt content organization and management within WordPress.

Reproduction

To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send a request to the 'cptb_delete_custom_taxonomy()' function without the necessary authorization. This can be done by using the 'admin_post_cptb_delete_taxonomy' action, which is available to users with the appropriate permissions. The request must include the 'taxonomy' parameter specifying the custom taxonomy to be deleted.