{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-13354", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-18T11:43:32.191Z", "datePublished": "2025-12-03T13:52:43.424Z", "dateUpdated": "2026-04-08T16:33:28.761Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:28.761Z"}, "affected": [{"vendor": "stevejburge", "product": "Tag, Category, and Taxonomy Manager \u2013 AI Autotagger with OpenAI", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.40.1", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Tag, Category, and Taxonomy Manager \u2013 AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the \"taxopress_merge_terms_batch\" function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms."}], "title": "Tag, Category, and Taxonomy Manager \u2013 AI Autotagger with OpenAI <= 3.40.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Taxonomy Term Manipulation", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05c1ee52-02c9-440b-9269-14ea8b73be45?source=cve"}, {"url": "https://github.com/TaxoPress/TaxoPress/commit/5eb2cee861ebd109152eea968aca0259c078c8b0"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "timeline": [{"time": "2025-11-08T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-11-18T16:12:11.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-12-03T00:31:09.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-03T14:50:34.638149Z", "id": "CVE-2025-13354", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-03T14:50:39.039Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-13354", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-03T14:50:34.638149Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-03T14:50:36.634Z"}}], "cna": {"title": "Tag, Category, and Taxonomy Manager \u2013 AI Autotagger with OpenAI <= 3.40.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Taxonomy Term Manipulation", "credits": [{"lang": "en", "type": "finder", "value": "M Indra Purnama"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "stevejburge", "product": "Tag, Category, and Taxonomy Manager \u2013 AI Autotagger with OpenAI", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.40.1"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-08T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-11-18T16:12:11.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-12-03T00:31:09.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05c1ee52-02c9-440b-9269-14ea8b73be45?source=cve"}, {"url": "https://github.com/TaxoPress/TaxoPress/commit/5eb2cee861ebd109152eea968aca0259c078c8b0"}], "descriptions": [{"lang": "en", "value": "The Tag, Category, and Taxonomy Manager \u2013 AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the \"taxopress_merge_terms_batch\" function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:28.761Z"}}}, "cveMetadata": {"cveId": "CVE-2025-13354", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:33:28.761Z", "dateReserved": "2025-11-18T11:43:32.191Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-12-03T13:52:43.424Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:taxopress:taxopress:*:*:*:*:*:wordpress:*:*", "matchCriteriaId": "CE8412F8-3636-4267-8AF5-D87CF86ADEC2", "versionEndExcluding": "3.41.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tag, Category, and Taxonomy Manager \u2013 AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the \"taxopress_merge_terms_batch\" function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms."}], "id": "CVE-2025-13354", "lastModified": "2025-12-05T18:41:56.647", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Primary"}]}, "published": "2025-12-03T14:15:46.930", "references": [{"source": "security@wordfence.com", "tags": ["Patch"], "url": "https://github.com/TaxoPress/TaxoPress/commit/5eb2cee861ebd109152eea968aca0259c078c8b0"}, {"source": "security@wordfence.com", "tags": ["Third Party Advisory"], "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05c1ee52-02c9-440b-9269-14ea8b73be45?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:26:50.384498+00:00", "value": {"mitigation_remediation": ["Upgrade the TaxoPress plugin to any version newer than 3.40.1 to remove the missing authorization check", "Re\u2011evaluate role capabilities and remove or restrict the ability for subscriber-level users to access taxonomy merge or delete actions if possible", "Enable logging or monitoring of taxonomy changes to detect any unauthorized modifications"], "summary": {"action": "Patch", "impact": "Arbitrary Taxonomy Term Manipulation via Authorization Bypass"}, "threat_synthesis": {"affected_systems": "WordPress installations running the TaxoPress plugin version 3.40.1 or earlier are impacted. The vulnerability is not present in versions newer than 3.40.1, and the issue applies to all supported WordPress versions that host the affected plugin.", "description_and_impact": "The TaxoPress \"Tag, Category, and Taxonomy Manager \u2013 AI Autotagger with OpenAI\" plugin contains an authorization bypass in the \"taxopress_merge_terms_batch\" function. The missing authorization check (CWE\u2011862) allows an authenticated user who has subscriber rights or higher to merge or delete taxonomy terms that they normally would not be permitted to alter. This elevation of privilege can corrupt content classification, disrupt site navigation, and undermine the integrity of the WordPress taxonomy system.", "risk_and_exploitability": "The CVSS base score of 4.3 indicates moderate risk, while an EPSS score of less than 1 percent shows that exploitation attempts are expected to be rare. The vulnerability is not listed in the CISA KEV catalog. An attacker would need legitimate subscriber level credentials to perform the bypass and manipulate taxonomy terms, so the attack vector is largely confined to authenticated site use. The lack of network or remote code execution vectors reduces the likelihood of widespread compromise."}}}}, "created": "2025-12-04T16:44:10.903667+00:00", "updated": "2026-04-22T16:30:22.142130+00:00", "vendors": ["wordpress", "wordpress$PRODUCT$wordpress"]}