This article details a medium-severity security vulnerability, CVE-2025-13922, affecting the “Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI” plugin for WordPress. If you use this plugin, it is crucial to understand the risk and take immediate action to protect your website.
Overview
CVE-2025-13922 is a time-based blind SQL Injection vulnerability found in the “Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI” plugin for WordPress. The vulnerability exists in versions up to and including 3.40.1. It allows authenticated attackers with Contributor-level access (and above) and who possess AI metabox permissions to inject malicious SQL code into database queries, potentially leading to data exfiltration, performance degradation, or data inference.
Technical Details
The vulnerability stems from insufficient escaping of the ‘existing_terms_orderby’ parameter in the AI preview AJAX endpoint. Specifically, the endpoint located within `TaxoPressAiAjax.php` processes this parameter without proper sanitization before incorporating it into a SQL query. This lack of sanitization, coupled with the absence of SQL query parameterization, creates an opportunity for attackers to inject arbitrary SQL code. Since the attack is time-based blind SQL injection, attackers will likely use techniques to infer data based on the time taken to execute queries.
The vulnerable code areas are primarily located within:
- `inc/class.admin.php` (potentially influencing the context)
- `modules/taxopress-ai/classes/TaxoPressAiAjax.php` (directly containing the vulnerable endpoint)
Specifically, look for the handling of the ‘existing_terms_orderby’ parameter within the AI preview AJAX endpoint logic.
CVSS Analysis
- CVE ID: CVE-2025-13922
- Severity: MEDIUM
- CVSS Score: 6.5
A CVSS score of 6.5 indicates a medium severity vulnerability. While the exploit requires authentication and specific permissions (Contributor level or higher with AI metabox access), the potential impact on confidentiality, integrity, and availability warrants prompt action.
Possible Impact
Successful exploitation of CVE-2025-13922 can lead to several severe consequences:
- Data Exfiltration: Attackers can extract sensitive information from the WordPress database, including user credentials, customer data, and other confidential information.
- Performance Degradation: Malicious SQL queries can consume significant server resources, leading to slow website performance and potential denial of service.
- Data Inference: Even without directly extracting data, attackers can infer sensitive information based on the execution time of crafted SQL queries.
- Complete System Compromise: In certain scenarios and with sufficient privileges, attackers could potentially use the injected SQL to gain complete control over the WordPress database and, consequently, the entire website.
Mitigation and Patch Steps
The primary mitigation strategy is to update the “Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI” plugin to the latest version. According to the referenced changeset, a fix has been implemented. Therefore:
- Update the Plugin: Immediately update the “Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI” plugin to the newest available version through the WordPress admin dashboard. Verify that the updated version is *later* than 3.40.1.
- Review User Permissions: While updating is the primary fix, consider reviewing user roles and permissions, especially for Contributor-level users and above. Limit AI metabox access to only those users who absolutely require it.
- Monitor for Suspicious Activity: Closely monitor your WordPress website’s database activity for any unusual or suspicious queries. Implement security auditing tools to detect potential intrusion attempts.
References
- Vulnerable Code in class.admin.php
- Vulnerable Code in TaxoPressAiAjax.php
- Changeset with the Fix
- Wordfence Threat Intelligence Report
Stay vigilant and ensure your WordPress plugins are always up-to-date to protect your website from security vulnerabilities.