CVE-2025-13359

See a problem?
Please try reporting it to the source first.

Source

https://cve.org/CVERecord?id=CVE-2025-13359

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13359.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-13359

Published

2025-12-03T14:15:47.890Z

Modified

2026-03-14T12:41:30.492645Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

[none]

Details

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the "getTermsForAjax" function in all versions up to, and including, 3.40.1. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database granted they have metabox access for the taxonomy (enabled by default for contributors).

References

Affected packages

Git / github.com/TaxoPress/TaxoPress

Affected ranges

Type

GIT

Repo

https://github.com/TaxoPress/TaxoPress

Events

Introduced

Fixed

d2884994030f0e4329d3817301cd24b9983e58d1

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.41.0"
        }
    ]
}

Type: GIT
Repo: https://github.com/taxopress/taxopress
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

1097a22181aa10ce55cc9cd5fa8495f7494e18ea

Affected versions

2.*

2.4.3

2.4.4

2.4.6

2.5.1

2.5.2

2.5.3

2.5.4

2.5.5

2.5.6

2.5.7

3.*

3.0

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.4.1

3.0.4.2

3.0.5

3.0.5.1

3.0.5.2

3.0.6

3.0.6.1

3.0.7

3.0.7.1

3.0.7.2

3.1.0

3.1.1

3.1.2

3.10.0

3.10.1

3.10.2

3.11.0

3.11.1

3.2.0

3.2.1

3.2.2

3.3.0

3.3.1

3.4.0

3.4.1

3.4.2

3.4.3

3.4.4

3.4.5

3.5.0

3.5.1

3.5.2

3.5.3

3.6.0

3.6.1

3.6.2

3.6.3

3.6.4

3.6.5

3.6.6

3.6.7

3.7.0

3.7.1

3.7.2

3.7.3

3.7.4

3.8.0

3.9.0

v2.*

v2.28.1

v3.*

v3.12.0

v3.13.0

v3.20.0

v3.21.0

v3.21.1

v3.22.0

v3.23.0

v3.24.0

v3.24.1

v3.25.0

v3.25.1

v3.26.0

v3.27.0

v3.28.0

v3.28.1

v3.30.0

v3.31.0

v3.32.0

v3.33.0

v3.34.0

v3.35.1

v3.36.0

v3.37.0

v3.37.1

v3.37.2

v3.37.3

v3.37.4

v3.38.0

v3.40.0

v3.40.1

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-13359.json"