CVE-2025-13922

Name of the Vulnerable Software and Affected Versions The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress versions through 3.40.1

Description The software contains a time-based blind SQL Injection issue due to insufficient escaping of user-supplied parameters and a lack of SQL query parameterization. This allows authenticated attackers with Contributor-level access or higher, possessing AI metabox permissions, to inject additional SQL queries into existing database queries. This can lead to the extraction of sensitive information, performance degradation, or data inference through time-based techniques. The vulnerable parameter is existing terms orderby within the AI preview AJAX endpoint.

Recommendations Update to a version beyond 3.40.1.