cleantalk
Vulnerabilities and Security Researches

Tainacan, CVE-2025-14043

CVE, Research URL

CVE-2025-14043

Home page URL

Security reports for Tainacan

Application

Tainacan

Published on
Dec 21, 2025
Research Description
The Tainacan plugin for WordPress is vulnerable to unauthorized metadata section creation due to missing authorization checks in all versions up to, and including, 1.0.1. This is due to the `create_item_permissions_check()` function unconditionally returning true, which bypasses authentication and authorization validation. This makes it possible for unauthenticated attackers to create arbitrary metadata sections for any collection via the public REST API granted they can access the WordPress site.
Affected versions
max 1.0.2.
Status
vulnerable
Previous vulnerability researches
WC Fields Factory (CVE-2023-0277) , Jun 07, 2024
WC Fields Factory (6cc027737736ffa5a4ad7d18f7aacab3368b4dae) , Jun 07, 2024
New vulnerability
Download Plugins and Themes from Dashboard (CVE-2025-14399) , Jan 10, 2026
Heateor Social Login WordPress (CVE-2025-68998) , Jan 10, 2026
AnnunciFunebri Impresa (CVE-2025-14447) , Jan 10, 2026
Serial Codes Generator and Validator with WooCommerce Support (CVE-2025-62091) , Jan 10, 2026
Effect Maker (CVE-2025-68867) , Jan 10, 2026