CVE-2025-13359

Name of the Vulnerable Software and Affected Versions Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress versions through 3.40.1

Description The software is susceptible to a time-based SQL Injection issue via the getTermsForAjax function. This is a result of inadequate escaping of user-provided parameters and insufficient preparation of the existing SQL query. Authenticated attackers with contributor-level access or higher can append additional SQL queries to existing ones, potentially extracting sensitive information from the database, provided they have metabox access for the taxonomy, which is enabled by default for contributors.

Recommendations Versions prior to and including 3.40.1 are affected. Update to a version beyond 3.40.1 when available. As a temporary workaround, restrict access to the getTermsForAjax function for users with contributor-level access or below.