Cybersecurity Vulnerabilities

CVE-2025-13359: Critical Time-Based SQL Injection Vulnerability Plagues TaxoPress WordPress Plugin

December 3, 2025 - By 

Overview

CVE-2025-13359 identifies a significant security vulnerability affecting the “Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI” (TaxoPress) plugin for WordPress. This flaw allows authenticated attackers with Contributor-level access or higher to perform time-based SQL Injection attacks. This vulnerability exists in versions up to and including 3.40.1.

Technical Details

The vulnerability resides within the getTermsForAjax function. Insufficient input validation and escaping of user-supplied parameters, combined with a lack of adequate preparation in the existing SQL query, enable attackers to inject malicious SQL code. Specifically, an attacker can manipulate parameters passed to this function to inject arbitrary SQL queries. Because contributor roles by default have metabox access for taxonomies, this makes the attack possible given the right conditions.

CVSS Analysis

  • Severity: MEDIUM
  • CVSS Score: 6.5

A CVSS score of 6.5 indicates a medium severity vulnerability. While it requires authentication (Contributor role or higher), the potential impact of a successful SQL Injection is considerable, warranting prompt attention and remediation.

Possible Impact

Successful exploitation of this vulnerability can lead to:

  • Sensitive Data Extraction: Attackers can retrieve sensitive information from the WordPress database, including usernames, passwords (if stored in plaintext or easily decrypted format), email addresses, and other confidential data.
  • Data Modification: Attackers can modify or delete data within the WordPress database, potentially disrupting website functionality or causing data loss.
  • Privilege Escalation: In certain scenarios, attackers might be able to leverage SQL Injection to gain administrative privileges, leading to complete control over the WordPress website.

Mitigation and Patch Steps

The recommended course of action is to immediately update the TaxoPress plugin to the latest version. The vulnerability has been addressed in versions released after 3.40.1. If you are unable to update immediately, consider temporarily disabling the plugin until you can apply the patch.

References

TaxoPress Commit Addressing the Vulnerability
Wordfence Threat Intelligence Report

Published: 2025-12-03T14:15:47.890

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *