CVE-2025-11972: SQL Injection exposes database

CISO Take

WordPress sites running TaxoPress (≤3.40.0) with OpenAI integration should patch immediately to 3.41.0+. An authenticated Editor-level attacker can exploit SQL injection in the 'post_types' parameter to exfiltrate database contents—including OpenAI API keys commonly stored in plaintext in WordPress options tables. Patch, then rotate any OpenAI API credentials stored in affected databases.

What is the risk?

Effective risk is moderate in isolation (CVSS 4.9, high privilege required), but escalates materially in organizations where WordPress Editor roles are broadly assigned, shared, or obtainable via credential stuffing. The primary AI risk vector is exfiltration of OpenAI API credentials from the WordPress database, which converts a medium-severity SQLi into a gateway for unauthorized LLM access, cost harvesting, and downstream data exposure. Not in CISA KEV; no evidence of active exploitation.

How severe is it?

CVSS 3.1

4.9 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 18% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Network

AC Low

PR High

UI None

S Unchanged

C High

I None

A None

What should I do?

6 steps

PATCH

Update TaxoPress to 3.41.0+ immediately (fix: commit fd35042).
ROTATE

Audit and rotate all OpenAI API keys stored in affected WordPress databases—assume compromise if unpatched instances existed on internet-facing hosts.
RESTRICT

Audit and reduce Editor-level role assignments; apply least privilege.
HARDEN

Migrate API key storage from WordPress database to environment variables or a secrets manager.
DETECT

Review web/database logs for UNION/SELECT patterns in admin AJAX requests targeting TaxoPress endpoints.
WAF

Enable SQL injection rules on WordPress admin endpoints via WAF or plugin (e.g., Wordfence).

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Plugin API AML.T0025 - Exfiltration via Cyber Means AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials AML.T0091.000 - Application Access Token

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

A.9.2 - AI System Security Controls

NIST AI RMF

GOVERN 6.1 - Policies for Secure AI Development and Deployment

OWASP LLM Top 10

LLM07:2025 - System Prompt Leakage / Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-11972?

WordPress sites running TaxoPress (≤3.40.0) with OpenAI integration should patch immediately to 3.41.0+. An authenticated Editor-level attacker can exploit SQL injection in the 'post_types' parameter to exfiltrate database contents—including OpenAI API keys commonly stored in plaintext in WordPress options tables. Patch, then rotate any OpenAI API credentials stored in affected databases.

Is CVE-2025-11972 actively exploited?

No confirmed active exploitation of CVE-2025-11972 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-11972?

1. PATCH: Update TaxoPress to 3.41.0+ immediately (fix: commit fd35042). 2. ROTATE: Audit and rotate all OpenAI API keys stored in affected WordPress databases—assume compromise if unpatched instances existed on internet-facing hosts. 3. RESTRICT: Audit and reduce Editor-level role assignments; apply least privilege. 4. HARDEN: Migrate API key storage from WordPress database to environment variables or a secrets manager. 5. DETECT: Review web/database logs for UNION/SELECT patterns in admin AJAX requests targeting TaxoPress endpoints. 6. WAF: Enable SQL injection rules on WordPress admin endpoints via WAF or plugin (e.g., Wordfence).

What systems are affected by CVE-2025-11972?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI plugin deployments, LLM API integrations in CMS platforms, AI-powered content classification pipelines.

What is the CVSS score for CVE-2025-11972?

CVE-2025-11972 has a CVSS v3.1 base score of 4.9 (MEDIUM). The EPSS exploitation probability is 0.27%.

What is the AI security impact?

Affected AI Architectures

WordPress AI plugin deploymentsLLM API integrations in CMS platformsAI-powered content classification pipelines

MITRE ATLAS Techniques

AML.T0025 Exfiltration via Cyber Means

AML.T0034 Cost Harvesting

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

AML.T0091.000 Application Access Token

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: A.9.2

NIST AI RMF: GOVERN 6.1

OWASP LLM Top 10: LLM07:2025

What are the technical details?

Original Advisory

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to SQL Injection via the 'post_types' parameter in all versions up to, and including, 3.40.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Exploitation Scenario

An attacker with Editor credentials—obtained via phishing, credential stuffing against /wp-login.php, or an insider—sends a crafted POST request to the TaxoPress admin AJAX handler with a stacked SQL payload in the 'post_types' parameter. The injected query reads wp_options WHERE option_name='taxopress_openai_settings' (or equivalent), returning the stored OpenAI API key in the response. The attacker then authenticates directly to the OpenAI API using the stolen key, queries models at the victim's expense, extracts any data ingested via the plugin's auto-tagging workflow, or sells the key. Total exploitation time post-authentication: under 5 minutes with public SQLi tooling.

Weaknesses (CWE)

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
[Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]

Source: MITRE CWE corpus.