TP Restore Categories And Taxonomies WordPress Plugin Missing Authorization Vulnerability in AJAX Term Deletion Action
Vulnerability
A missing authorization vulnerability has been identified in the TP Restore Categories And Taxonomies plugin for WordPress, affecting all versions through 1.0.1. The issue arises in the delete_term() function, which processes the 'tpmcattt_delete_term' AJAX action. This function fails to perform proper capability checks to ensure users have the necessary permissions. Although a nonce is validated, this nonce is available to all authenticated users and can be exploited by those with Subscriber-level access or higher to delete taxonomy terms from the plugin's backup tables.
Impact
Exploitation of this vulnerability allows authenticated users with Subscriber-level access and above to permanently delete taxonomy term records from the plugin's trash or backup tables.
Reproduction
To reproduce this vulnerability, an authenticated user with Subscriber-level access or higher can send an AJAX request to the 'tpmcattt_delete_term' action. This request must include a valid nonce, which can be obtained from any wp-admin page, and an arbitrary term_id corresponding to the taxonomy term to be deleted.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.