CVE-2025-13359 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

A time-based SQL injection in the TaxoPress OpenAI WordPress plugin lets any contributor extract the full database, including stored OpenAI API keys. Patch to the latest version immediately or disable the plugin; rotate any exposed OpenAI API keys without delay. The primary AI risk is API key theft enabling unauthorized LLM usage and cost abuse against your account.

Risk Assessment

Medium severity with elevated AI-specific risk. Contributor-level access requirement limits exposure on tightly controlled sites, but WordPress installations with open contributor registration or large editorial teams face real risk. Time-based SQLi is fully automatable via SQLMap, making this accessible to non-specialists. The confidentiality-only CVSS impact (C:H) understates the AI risk: WordPress options tables store OpenAI API keys in plaintext, turning a medium-CVSS vuln into a credential compromise vector.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
taxopress	—	—	No patch

Do you use taxopress? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

0.0%

chance of exploitation in 30 days

Higher than 7% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

Recommended Action

6 steps

Patch immediately: update TaxoPress to the version including commit 1097a22.
Rotate the OpenAI API key stored in WordPress options table — do not wait for patching if there is any delay.
Restrict contributor metabox access for taxonomy management (Admin > TaxoPress settings).
Query wp_options for 'taxopress' and 'openai' entries to identify exposed credentials and assess blast radius.
Detection: monitor admin-ajax.php for repeated requests with 'getTermsForAjax' action exhibiting abnormal response time variance — characteristic of time-based SQLi probing.
If WAF is deployed, add rule blocking SQLi patterns on that AJAX endpoint.

CISA SSVC Assessment

Decision Track

Exploitation none

Automatable No

Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Privacy Violation Plugin API AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.13 - Transparency and Provision of Information Art.9 - Risk Management System

ISO 42001

A.6.2 - AI System Roles and Responsibilities A.9.3 - AI System Security A.9.4 - System and Application Access Control

NIST AI RMF

GOVERN-1.7 - Processes for AI Risk Management MANAGE-2.2 - Risk Treatment — AI System Security Controls MANAGE-2.4 - Mechanisms for Incident Response

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-13359?

A time-based SQL injection in the TaxoPress OpenAI WordPress plugin lets any contributor extract the full database, including stored OpenAI API keys. Patch to the latest version immediately or disable the plugin; rotate any exposed OpenAI API keys without delay. The primary AI risk is API key theft enabling unauthorized LLM usage and cost abuse against your account.

Is CVE-2025-13359 actively exploited?

No confirmed active exploitation of CVE-2025-13359 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-13359?

1. Patch immediately: update TaxoPress to the version including commit 1097a22. 2. Rotate the OpenAI API key stored in WordPress options table — do not wait for patching if there is any delay. 3. Restrict contributor metabox access for taxonomy management (Admin > TaxoPress settings). 4. Query wp_options for 'taxopress' and 'openai' entries to identify exposed credentials and assess blast radius. 5. Detection: monitor admin-ajax.php for repeated requests with 'getTermsForAjax' action exhibiting abnormal response time variance — characteristic of time-based SQLi probing. 6. If WAF is deployed, add rule blocking SQLi patterns on that AJAX endpoint.

What systems are affected by CVE-2025-13359?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI plugin integrations, LLM API key management in CMS environments, CMS-based AI content pipelines.

What is the CVSS score for CVE-2025-13359?

CVE-2025-13359 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the "getTermsForAjax" function in all versions up to, and including, 3.40.1. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database granted they have metabox access for the taxonomy (enabled by default for contributors).

Exploitation Scenario

Attacker registers as a contributor on a WordPress site using TaxoPress with OpenAI integration enabled. Using a time-based SQLi payload injected into the getTermsForAjax AJAX endpoint (metabox access enabled by default), they enumerate the wp_options table to extract the stored OpenAI API key. With the stolen key, the attacker makes unauthorized OpenAI API calls for cost harvesting, accesses any fine-tuned models tied to that key, or pivots to other services if the API key is reused. Total time from contributor access to key extraction: under 30 minutes with automated tooling.