cleantalk
Vulnerabilities and Security Researches

Tainacan, CVE-2025-14043

CVE, Research URL

CVE-2025-14043

Home page URL

Security reports for Tainacan

Application

Tainacan

Published on
Dec 21, 2025
Research Description
The Tainacan plugin for WordPress is vulnerable to unauthorized metadata section creation due to missing authorization checks in all versions up to, and including, 1.0.1. This is due to the `create_item_permissions_check()` function unconditionally returning true, which bypasses authentication and authorization validation. This makes it possible for unauthenticated attackers to create arbitrary metadata sections for any collection via the public REST API granted they can access the WordPress site.
Affected versions
max 1.0.2.
Status
vulnerable
Previous vulnerability researches
Social Profilr (CVE-2025-49343) , Jan 06, 2026
New vulnerability
BizPrint – Print WooCommerce Order Receipts, Invoices, Labels & More. (CVE-2025-69024) , Jan 10, 2026
Appointment Booking Calendar — Simply Schedule Appointments Booking Plugin (CVE-2025-13754) , Jan 10, 2026
LearnPress – WordPress LMS Plugin (CVE-2025-14387) , Jan 10, 2026
LearnPress – WordPress LMS Plugin (CVE-2025-13956) , Jan 10, 2026
Customizable WordPress Gallery Plugin – Modula Image Gallery (CVE-2025-13891) , Jan 10, 2026