Medium severity5.3NVD Advisory· Published Dec 21, 2025· Updated Apr 15, 2026

CVE-2025-14043

Description

The Tainacan plugin for WordPress is vulnerable to unauthorized metadata section creation due to missing authorization checks in all versions up to, and including, 1.0.1. This is due to the create_item_permissions_check() function unconditionally returning true, which bypasses authentication and authorization validation. This makes it possible for unauthenticated attackers to create arbitrary metadata sections for any collection via the public REST API granted they can access the WordPress site.

Affected products

WordPress/Tainacaninferred
Range: <=1.0.1
Package: https://wordpress.org/plugins/tainacan

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

plugins.trac.wordpress.org/browser/tainacan/tags/1.0.1/classes/api/endpoints/class-tainacan-rest-metadata-sections-controller.phpnvd
plugins.trac.wordpress.org/browser/tainacan/trunk/classes/api/endpoints/class-tainacan-rest-metadata-sections-controller.phpnvd
www.wordfence.com/threat-intel/vulnerabilities/id/5596a0f0-6bfe-4c6e-a0d6-117e13117098nvd

News mentions

No linked articles in our index yet.

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000