CVE-2026-4128

Summary: The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to 1.0.1. The delete_term() AJAX handler does not perform a proper capability check (e.g., current_user_can()) to verify permissions. Although a nonce is checked via ch...

CVE-2026-4128 TP Restore Categories And Taxonomies <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Taxonomy Deletion via 'tpmcattt_delete_term' AJAX Action

The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The deleteterm function, which handles the 'tpmcatttdeleteterm' AJAX action, does not perform any capability check e.g., currentusercan to verify the...

CVE-2026-4128 TP Restore Categories And Taxonomies <= 1.0.1 - Missing Authorization to Authenticated (Subscriber+) Taxonomy Deletion via 'tpmcattt_delete_term' AJAX Action

The TP Restore Categories And Taxonomies plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.0.1. The deleteterm function, which handles the 'tpmcatttdeleteterm' AJAX action, does not perform any capability check e.g., currentusercan to verify the...

CVE-2026-1673 BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net <= 1.1.5 - Cross-Site Request Forgery to Taxonomy Term Deletion

The BEAR – Bulk Editor and Products Manager Professional for WooCommerce by Pluginus.Net plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1.5. This is due to missing nonce validation on the woobedeletetaxterm function. This makes it possible...

WordPress Ace Post Type Builder plugin unauthorized custom taxonomy removal vulnerability

WordPress Ace Post Type Builder plugin is a plugin for creating and managing Custom Post Types CustomPostTypes,CPT, which helps users to extend the content structure in WordPress with support for advanced features such as custom fields, categories and tags. WordPress Ace Post Type Builder plugin...

CVE-2025-13405 Ace Post Type Builder <= 1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Custom Taxonomy Deletion via 'taxonomy' Parameter

The Ace Post Type Builder plugin for WordPress is vulnerable to unauthorized custom taxonomy deletion due to missing authorization validation on the cptbdeletecustomtaxonomy function in all versions up to, and including, 1.9. This makes it possible for authenticated attackers, with Subscriber-lev...

WordPress Ace Post Type Builder plugin <= 1.9 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Custom Taxonomy Deletion via 'taxonomy' Parameter vulnerability

Missing Authorization to Authenticated Subscriber+ Arbitrary Custom Taxonomy Deletion via 'taxonomy' Parameter vulnerability discovered by Legion Hunter in WordPress Plugin Ace Post Type Builder versions = 1.9...