Primary

Context

Tainacan WordPress Plugin Missing Authorization Vulnerability Allows Unauthenticated Metadata Section Creation

Vulnerability

Patched

A vulnerability exists in the Tainacan plugin for WordPress, in all versions up to and including 1.0.1. The issue stems from the 'create_item_permissions_check()' function, which fails to properly validate authentication and authorization. This oversight allows unauthenticated users to create arbitrary metadata sections for any collection through the public REST API, as long as they can access the WordPress site.

Impact

Exploitation of this vulnerability allows for the unauthorized creation of metadata sections, which could be misused to manipulate or disrupt the organization of content within WordPress collections.

Remediation

Users are advised to update the Tainacan WordPress plugin to version 1.0.2 or a newer patched version.

Added: Dec 21, 2025, 3:21 AM

Updated: Dec 21, 2025, 3:21 AM

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

9.0

remediation

7.7

relevance

1.5

threat

3.2

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

1.0

impact

0.6

exploitability

9.0

remediation

7.7

relevance

1.5

threat

3.2

urgency

2.9

incentive

10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tainacan WordPress Plugin Missing Authorization Vulnerability Allows Unauthenticated Metadata Section Creation

Vulnerability

Impact

Remediation

Affected Products

Tainacan

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating