Overview
CVE-2025-13354 describes an authorization bypass vulnerability found in the Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin (TaxoPress) for WordPress. This vulnerability affects all versions up to and including 3.40.1. Due to improper authorization checks within the taxopress_merge_terms_batch function, authenticated attackers with subscriber-level access or higher can potentially merge or delete arbitrary taxonomy terms. This could lead to data corruption, loss of site structure, and potentially further exploitation.
Technical Details
The vulnerability lies in the taxopress_merge_terms_batch function within the TaxoPress plugin. The plugin fails to adequately verify if a user has the necessary permissions to perform actions like merging or deleting taxonomy terms. Specifically, the plugin does not ensure the user has the required capabilities before executing the function. An authenticated user, even with basic “subscriber” level privileges, can craft a malicious request to this function and manipulate taxonomy terms without proper authorization.
The vulnerable code is related to the lack of capability checks when processing the request to merge or delete terms in batch. The absence of proper validation allows attackers to bypass intended access controls.
CVSS Analysis
The Common Vulnerability Scoring System (CVSS) score for CVE-2025-13354 is 4.3 (Medium). The CVSS vector string will typically look something like this, although a full string calculation should be consulted:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
- Attack Vector (AV): Network (N) – The vulnerability can be exploited over the network.
- Attack Complexity (AC): Low (L) – Exploitation requires little specialized access or conditions.
- Privileges Required (PR): Low (L) – An attacker requires only basic user privileges.
- User Interaction (UI): None (N) – No user interaction is required for exploitation.
- Scope (S): Unchanged (U) – An exploited vulnerability can only affect resources managed by the same security authority.
- Confidentiality Impact (C): None (N) – There is no impact to confidentiality.
- Integrity Impact (I): Low (L) – There is some modification of data.
- Availability Impact (A): None (N) – There is no impact to availability.
While the score is classified as Medium, the impact can be significant depending on the website’s reliance on its taxonomy structure.
Possible Impact
Successful exploitation of CVE-2025-13354 can lead to the following impacts:
- Data Corruption: Unauthorized modification or deletion of taxonomy terms can corrupt the website’s category and tag structure, impacting organization and search functionality.
- Loss of Site Structure: Important categories and tags could be deleted, disrupting navigation and user experience.
- SEO Impact: Incorrect or missing taxonomies can negatively impact search engine optimization (SEO).
- Potential for Escalation: While the direct impact is limited to taxonomy manipulation, a successful attacker might leverage this vulnerability to gain further access or exploit other weaknesses in the system.
Mitigation or Patch Steps
The recommended mitigation is to update the TaxoPress plugin to the latest version as soon as possible. The vulnerability has been patched in versions released after 3.40.1.
- Log in to your WordPress admin dashboard.
- Navigate to the “Plugins” section.
- Locate the “Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI” plugin (TaxoPress).
- If an update is available, click the “Update Now” button.
- Verify the update was successful.
If an update is not immediately available, consider temporarily deactivating the plugin until a patched version is released. Monitor the plugin developer’s website and WordPress.org for updates.
