{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14371", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-09T18:40:16.741Z", "datePublished": "2026-01-06T07:22:11.764Z", "dateUpdated": "2026-04-08T16:40:55.659Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:55.659Z"}, "affected": [{"vendor": "stevejburge", "product": "Tag, Category, and Taxonomy Manager \u2013 AI Autotagger with OpenAI", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "3.41.0", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Tag, Category, and Taxonomy Manager \u2013 AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the taxopress_ai_add_post_term function in all versions up to, and including, 3.41.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to add or remove taxonomy terms (tags, categories) on any post, including ones they do not own."}], "title": "TaxoPress <= 3.41.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Tag Modification", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ef51ffb-df1e-442d-abc8-3a0308099a0b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/modules/taxopress-ai/classes/TaxoPressAiAjax.php#L681"}, {"url": "https://research.cleantalk.org/cve-2025-14371/"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "timeline": [{"time": "2025-11-26T00:00:00.000Z", "lang": "en", "value": "Discovered"}, {"time": "2025-12-09T18:55:35.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-05T19:03:27.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-06T14:34:03.438795Z", "id": "CVE-2025-14371", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:34:33.502Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14371", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-06T14:34:03.438795Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-06T14:34:22.797Z"}}], "cna": {"title": "TaxoPress <= 3.41.0 - Missing Authorization to Authenticated (Contributor+) Arbitrary Post Tag Modification", "credits": [{"lang": "en", "type": "finder", "value": "Dmitrii Ignatyev"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "stevejburge", "product": "Tag, Category, and Taxonomy Manager \u2013 AI Autotagger with OpenAI", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "3.41.0"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-26T00:00:00.000Z", "value": "Discovered"}, {"lang": "en", "time": "2025-12-09T18:55:35.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-05T19:03:27.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ef51ffb-df1e-442d-abc8-3a0308099a0b?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/modules/taxopress-ai/classes/TaxoPressAiAjax.php#L681"}, {"url": "https://research.cleantalk.org/cve-2025-14371/"}], "descriptions": [{"lang": "en", "value": "The Tag, Category, and Taxonomy Manager \u2013 AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the taxopress_ai_add_post_term function in all versions up to, and including, 3.41.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to add or remove taxonomy terms (tags, categories) on any post, including ones they do not own."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:40:55.659Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14371", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:40:55.659Z", "dateReserved": "2025-12-09T18:40:16.741Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-06T07:22:11.764Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Tag, Category, and Taxonomy Manager \u2013 AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the taxopress_ai_add_post_term function in all versions up to, and including, 3.41.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to add or remove taxonomy terms (tags, categories) on any post, including ones they do not own."}, {"lang": "es", "value": "El gestor de etiquetas, categor\u00edas y taxonom\u00edas \u2013 Autotagging de IA con el plugin de OpenAI para WordPress es vulnerable a la modificaci\u00f3n no autorizada de datos debido a una comprobaci\u00f3n de capacidad faltante en la funci\u00f3n taxopress_ai_add_post_term en todas las versiones hasta, e incluyendo, la 3.41.0. Esto hace posible que atacantes autenticados, con acceso de nivel Colaborador y superior, a\u00f1adan o eliminen t\u00e9rminos de taxonom\u00eda (etiquetas, categor\u00edas) en cualquier entrada, incluyendo aquellas que no les pertenecen."}], "id": "CVE-2025-14371", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-06T08:15:51.867", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/modules/taxopress-ai/classes/TaxoPressAiAjax.php#L681"}, {"source": "security@wordfence.com", "url": "https://research.cleantalk.org/cve-2025-14371/"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/1ef51ffb-df1e-442d-abc8-3a0308099a0b?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T15:57:32.449770+00:00", "value": {"mitigation_remediation": ["Update the TaxoPress plugin to version 3.42 or later, which includes the necessary authorization check.", "If an immediate update is not possible, remove Contributor-level permissions from users who do not need to manage taxonomy terms, and enforce stricter role definitions.", "After applying the update, review recent taxonomy changes on posts to detect and correct any unauthorized modifications that may have occurred."], "summary": {"action": "Immediate Patch", "impact": "Unauthorized taxonomy term modification"}, "threat_synthesis": {"affected_systems": "The issue affects the stevejburge WordPress plugin \"Tag, Category, and Taxonomy Manager \u2013 AI Autotagger with OpenAI\" in all releases up to and including version 3.41.0. Site administrators running any of these plugin versions are susceptible.", "description_and_impact": "A missing capability check in the taxopress_ai_add_post_term function lets users with Contributor-level access and higher add or delete tags and categories on any WordPress post, even those they do not own. This flaw allows an attacker to alter content classification, influence search engine visibility, and potentially misdirect users. The vulnerability does not grant code execution or full system compromise, but it disrupts content integrity and trust.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate impact, and the EPSS score of less than 1% suggests a low likelihood of exploitation. The flaw is not listed in the CISA KEV catalog. An authenticated user on a WordPress site who holds a Contributor role or higher can exploit the vulnerability simply by using the normal plugin interface or by constructing a crafted request to the taxopress AI Ajax endpoint. No additional conditions or elevated privileges are required beyond those granted by the standard Contributor capability."}}}}, "created": "2026-01-06T14:15:45.156399+00:00", "updated": "2026-04-22T16:00:12.102880+00:00", "vendors": ["taxopress", "taxopress$PRODUCT$taxopress", "wordpress", "wordpress$PRODUCT$wordpress"]}