SQL Injection Vulnerability in Tag, Category, and Taxonomy Manager - AI Autotagger Plugin for WordPress
CVE-2025-13359
6.5MEDIUM
Key Information:
- Vendor
WordPress
- Vendor
- CVE Published:
- 3 December 2025
What is CVE-2025-13359?
The Tag, Category, and Taxonomy Manager β AI Autotagger plugin for WordPress is susceptible to time-based SQL Injection vulnerabilities due to inadequate escaping of user-supplied parameters within the 'getTermsForAjax' function. This flaw affects all versions up to and including 3.40.1, allowing attackers with contributor-level access and higher to inject additional SQL queries into existing ones. Such exploitation can lead to unauthorized access to sensitive database information, as long as the attacker has metabox access for taxonomy, which is typically enabled by default for contributors.
Affected Version(s)
Tag, Category, and Taxonomy Manager β AI Autotagger with OpenAI * <= 3.40.1