CVE-2026-4128 describes a missing authorization vulnerability (CWE-862) in the TP Restore Categories And Taxonomies WordPress plugin versions up to 1.0.1. The plugin's delete_term() function handles the 'tpmcattt_delete_term' AJAX action but fails to perform capability checks such as current_user_can() to confirm that the user has sufficient permissions to delete taxonomy terms. Although the function verifies a nonce with check_ajax_referer(), the nonce is generated for all authenticated users and exposed on any wp-admin page, including those accessible by Subscribers. Consequently, an authenticated user with Subscriber-level privileges or higher can craft an AJAX request with a valid nonce and arbitrary term_id to permanently delete taxonomy term records from the plugin's trash or backup tables.

The vulnerability allows authenticated users with minimal privileges (Subscriber-level and above) to delete taxonomy term records from the plugin's trash or backup tables without proper authorization. This results in unauthorized modification of data (integrity impact). There is no direct impact on confidentiality or availability reported. No known exploits in the wild have been documented. The CVSS 3.1 base score is 4.3 (medium severity), reflecting the low complexity of attack and limited privileges required but limited impact scope.

Patch status is not yet confirmed — no official fix or patch links are provided by the vendor at this time. Users of the TP Restore Categories And Taxonomies plugin should monitor the vendor's advisory channels for updates and apply any official patches once available. Until a fix is released, restricting plugin usage to trusted users or disabling the plugin may reduce risk. Avoid granting unnecessary authenticated access to low-privilege users. No vendor advisory states that no action is required or that the issue is mitigated.