CVE-2025-13922: TaxoPress Authenticated SQL Injection with POC

Key Vulnerability Summary 1. Vulnerability Overview CVE ID: CVE-2025-13922 Vulnerability Name: TaxoPress (Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI) – Authenticated (Contributor+) SQL Injection Vulnerability Type: Time-based blind SQL injection Description: This vulnerability exists within the AI preview feature of the TaxoPress plugin. An attacker with Contributor-level permissions or higher can inject SQL statements via the AJAX workflow. The vulnerable parameter is , which allows attackers to inject payloads containing delays (e.g., ) to observe timing differences. 2. Scope of Impact Affected Plugin: Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI (Plugin slug: ) Affected Versions: All versions up to and including 3.40.1 Active Installations: 50,000+ Researcher: Dmitri Ignatyev 3. Remediation Official Recommendation: Upgrade to TaxoPress version 3.41.0 or higher. Technical Recommendation: The fix must go beyond simple "escaping" and implement strict allow-listing and secure query construction. For any clause, the code must map user input to a limited set of allowed columns (e.g., , , , etc.). Enforce direction ( or ) only, rejecting all other input. If the logic requires multiple sort keys, they must be assembled from validated tokens rather than using raw strings directly. 4. POC Code**

Goal Reached Thanks to every supporter — we hit 100%!

CVE-2025-13922: TaxoPress Authenticated SQL Injection with POC