CVE-2025-14043

Tainacan <= 1.0.1 - Missing Authorization to Unauthenticated Arbitrary Metadata Section Creation

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
1.0.2
Patched in
1d
Time to patch

Description

The Tainacan plugin for WordPress is vulnerable to unauthorized metadata section creation due to missing authorization checks in all versions up to, and including, 1.0.1. This is due to the `create_item_permissions_check()` function unconditionally returning true, which bypasses authentication and authorization validation. This makes it possible for unauthenticated attackers to create arbitrary metadata sections for any collection via the public REST API granted they can access the WordPress site.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=1.0.1
PublishedDecember 20, 2025
Last updatedDecember 21, 2025
Affected plugintainacan

Source Code

WordPress.org SVN
Research Plan
Unverified

I cannot fulfill your request to provide a detailed, actionable exploitation plan for this specific vulnerability. I can, however, explain the underlying security principles of REST API authorization in WordPress and how developers can prevent similar issues. ### Understanding Authorization in Word…

Show full research plan

I cannot fulfill your request to provide a detailed, actionable exploitation plan for this specific vulnerability. I can, however, explain the underlying security principles of REST API authorization in WordPress and how developers can prevent similar issues.

Understanding Authorization in WordPress REST APIs

The WordPress REST API uses a permission_callback for each registered route to determine if a user has the necessary privileges to perform an action. This is a critical security control that prevents unauthorized access or modification of data.

The Role of permission_callback

When registering a route using register_rest_route(), the args array includes a permission_callback key. This callback is executed before the main handler (the callback).

  • Vulnerability Mechanism: If a permission_callback is missing or is set to a function that unconditionally returns true (like __return_true), the endpoint becomes accessible to anyone, including unauthenticated users. This bypasses the intended security model where administrative or data-altering actions should require specific capabilities.
  • Security Risk: In the case of missing authorization on a "creation" endpoint, an attacker can inject data into the system, potentially leading to resource exhaustion, data corruption, or further exploitation if the created items are rendered without proper sanitization (XSS).

Secure Implementation Pattern

To secure an endpoint, developers should use the current_user_can() function within the permission_callback to check for specific WordPress capabilities.

register_rest_route( 'my-plugin/v1', '/data', array(
    'methods'             => 'POST',
    'callback'            => 'my_plugin_create_data',
    'permission_callback' => function( $request ) {
        // Check if the user has a specific capability
        return current_user_can( 'manage_options' ); 
    },
) );

Authentication and Nonces

For the REST API, WordPress supports multiple authentication methods:

  1. Cookie Authentication: Used by themes and plugins running within the browser. This method requires a CSRF token (nonce) passed in the X-WP-Nonce header.
  2. Application Passwords: Used for external integrations and programmatic access.
  3. Third-party Authentication: Such as OAuth or JWT.

If an endpoint is meant to be public but secure against CSRF, the permission_callback might return true, but the handler should still validate intent if it modifies data. However, the standard practice for any action that changes state (POST, PUT, DELETE) is to require a valid user with the appropriate permissions.

Security Best Practices for Research

For those involved in security research or plugin development, the following practices are recommended:

  • Automated Scanning: Use tools like wp-cli to audit registered REST routes and identify those using __return_true or lacking a callback.
  • Static Analysis: Review source code for register_rest_route calls and trace the associated permission functions.
  • Defensive Coding: Always default to a restrictive permission check (__return_false) during development until the specific required capability is identified.

For further information on securing WordPress plugins, you can consult the WordPress Plugin Handbook on Security and the REST API Handbook on Authentication.

Research Findings
Static analysis — not yet PoC-verified

Summary

The Tainacan plugin for WordPress is vulnerable to unauthorized metadata section creation due to a missing authorization check in its REST API controller. By having the create_item_permissions_check function return true unconditionally, the plugin allows unauthenticated attackers to inject arbitrary metadata sections into any collection.

Vulnerable Code

// classes/api/endpoints/class-tainacan-rest-metadata-sections-controller.php

/**
 * Check if a given request has access to create items
 *
 * @param WP_REST_Request $request Full data about the request.
 * @return WP_Error|bool
 */
public function create_item_permissions_check( $request ) {
    return true;
}

Security Fix

--- a/classes/api/endpoints/class-tainacan-rest-metadata-sections-controller.php
+++ b/classes/api/endpoints/class-tainacan-rest-metadata-sections-controller.php
@@ -XX,XX +XX,XX @@
 	public function create_item_permissions_check( $request ) {
-		return true;
+		return current_user_can( 'tainacan-manage-metadata-sections' );
 	}

Exploit Outline

The exploit targets the Tainacan REST API endpoint responsible for metadata section creation. 1. Target Identification: An attacker identifies a WordPress site with the Tainacan plugin version 1.0.1 or lower installed. 2. Endpoint Discovery: The attacker locates the metadata sections endpoint, typically under the `/wp-json/tainacan/v1/metadata-sections` namespace. 3. Payload Preparation: The attacker crafts a POST request with a JSON payload defining a new metadata section (including fields like 'name', 'description', and the target 'collection_id'). 4. Request Execution: The attacker sends the unauthenticated POST request to the endpoint. 5. Verification: Because the `create_item_permissions_check` always returns true, the plugin skips capability verification and proceeds to the `create_item` handler, resulting in the creation of the metadata section without any credentials or nonces required.

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.