CVE-2025-11972 — MEDIUM (CVSS 4.9) AI Security Vulnerability

CISO Take

WordPress sites running TaxoPress (≤3.40.0) with OpenAI integration should patch immediately to 3.41.0+. An authenticated Editor-level attacker can exploit SQL injection in the 'post_types' parameter to exfiltrate database contents—including OpenAI API keys commonly stored in plaintext in WordPress options tables. Patch, then rotate any OpenAI API credentials stored in affected databases.

Severity & Risk

CVSS 3.1

4.9 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Trivial

Recommended Action

1. PATCH: Update TaxoPress to 3.41.0+ immediately (fix: commit fd35042). 2. ROTATE: Audit and rotate all OpenAI API keys stored in affected WordPress databases—assume compromise if unpatched instances existed on internet-facing hosts. 3. RESTRICT: Audit and reduce Editor-level role assignments; apply least privilege. 4. HARDEN: Migrate API key storage from WordPress database to environment variables or a secrets manager. 5. DETECT: Review web/database logs for UNION/SELECT patterns in admin AJAX requests targeting TaxoPress endpoints. 6. WAF: Enable SQL injection rules on WordPress admin endpoints via WAF or plugin (e.g., Wordfence).

Classification

Data Extraction Auth Bypass Plugin API AML.T0025 - Exfiltration via Cyber Means AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0091.000 - Application Access Token

Compliance Impact

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.9.2 - AI System Security Controls

NIST AI RMF

GOVERN 6.1 - Policies for Secure AI Development and Deployment

OWASP LLM Top 10

LLM07:2025 - System Prompt Leakage / Insecure Plugin Design

Technical Details

NVD Description

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to SQL Injection via the 'post_types' parameter in all versions up to, and including, 3.40.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Exploitation Scenario

An attacker with Editor credentials—obtained via phishing, credential stuffing against /wp-login.php, or an insider—sends a crafted POST request to the TaxoPress admin AJAX handler with a stacked SQL payload in the 'post_types' parameter. The injected query reads wp_options WHERE option_name='taxopress_openai_settings' (or equivalent), returning the stored OpenAI API key in the response. The attacker then authenticates directly to the OpenAI API using the stolen key, queries models at the victim's expense, extracts any data ingested via the plugin's auto-tagging workflow, or sells the key. Total exploitation time post-authentication: under 5 minutes with public SQLi tooling.

Weaknesses (CWE)

CWE-89

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published

November 8, 2025

Last Modified

November 28, 2025

First Seen

November 8, 2025