CVE-2025-11972 — MEDIUM (CVSS 4.9) AI Security Vulnerability

CISO Take

WordPress sites running TaxoPress (≤3.40.0) with OpenAI integration should patch immediately to 3.41.0+. An authenticated Editor-level attacker can exploit SQL injection in the 'post_types' parameter to exfiltrate database contents—including OpenAI API keys commonly stored in plaintext in WordPress options tables. Patch, then rotate any OpenAI API credentials stored in affected databases.

Risk Assessment

Effective risk is moderate in isolation (CVSS 4.9, high privilege required), but escalates materially in organizations where WordPress Editor roles are broadly assigned, shared, or obtainable via credential stuffing. The primary AI risk vector is exfiltration of OpenAI API credentials from the WordPress database, which converts a medium-severity SQLi into a gateway for unauthorized LLM access, cost harvesting, and downstream data exposure. Not in CISA KEV; no evidence of active exploitation.

Severity & Risk

CVSS 3.1

4.9 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 9% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

Attack Surface

AV Network

AC Low

PR High

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

PATCH

Update TaxoPress to 3.41.0+ immediately (fix: commit fd35042).
ROTATE

Audit and rotate all OpenAI API keys stored in affected WordPress databases—assume compromise if unpatched instances existed on internet-facing hosts.
RESTRICT

Audit and reduce Editor-level role assignments; apply least privilege.
HARDEN

Migrate API key storage from WordPress database to environment variables or a secrets manager.
DETECT

Review web/database logs for UNION/SELECT patterns in admin AJAX requests targeting TaxoPress endpoints.
WAF

Enable SQL injection rules on WordPress admin endpoints via WAF or plugin (e.g., Wordfence).

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Plugin API AML.T0025 - Exfiltration via Cyber Means AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0091.000 - Application Access Token

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.9.2 - AI System Security Controls

NIST AI RMF

GOVERN 6.1 - Policies for Secure AI Development and Deployment

OWASP LLM Top 10

LLM07:2025 - System Prompt Leakage / Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-11972?

WordPress sites running TaxoPress (≤3.40.0) with OpenAI integration should patch immediately to 3.41.0+. An authenticated Editor-level attacker can exploit SQL injection in the 'post_types' parameter to exfiltrate database contents—including OpenAI API keys commonly stored in plaintext in WordPress options tables. Patch, then rotate any OpenAI API credentials stored in affected databases.

Is CVE-2025-11972 actively exploited?

No confirmed active exploitation of CVE-2025-11972 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-11972?

1. PATCH: Update TaxoPress to 3.41.0+ immediately (fix: commit fd35042). 2. ROTATE: Audit and rotate all OpenAI API keys stored in affected WordPress databases—assume compromise if unpatched instances existed on internet-facing hosts. 3. RESTRICT: Audit and reduce Editor-level role assignments; apply least privilege. 4. HARDEN: Migrate API key storage from WordPress database to environment variables or a secrets manager. 5. DETECT: Review web/database logs for UNION/SELECT patterns in admin AJAX requests targeting TaxoPress endpoints. 6. WAF: Enable SQL injection rules on WordPress admin endpoints via WAF or plugin (e.g., Wordfence).

What systems are affected by CVE-2025-11972?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI plugin deployments, LLM API integrations in CMS platforms, AI-powered content classification pipelines.

What is the CVSS score for CVE-2025-11972?

CVE-2025-11972 has a CVSS v3.1 base score of 4.9 (MEDIUM). The EPSS exploitation probability is 0.03%.

Technical Details

NVD Description

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to SQL Injection via the 'post_types' parameter in all versions up to, and including, 3.40.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Exploitation Scenario

An attacker with Editor credentials—obtained via phishing, credential stuffing against /wp-login.php, or an insider—sends a crafted POST request to the TaxoPress admin AJAX handler with a stacked SQL payload in the 'post_types' parameter. The injected query reads wp_options WHERE option_name='taxopress_openai_settings' (or equivalent), returning the stored OpenAI API key in the response. The attacker then authenticates directly to the OpenAI API using the stolen key, queries models at the victim's expense, extracts any data ingested via the plugin's auto-tagging workflow, or sells the key. Total exploitation time post-authentication: under 5 minutes with public SQLi tooling.