AI Threat Alert
CVE-2025-13359: taxopress: SQL Injection exposes database
MEDIUMA time-based SQL injection in the TaxoPress OpenAI WordPress plugin lets any contributor extract the full database, including stored OpenAI API keys. Patch to the latest version immediately or disable the plugin; rotate any exposed OpenAI API keys without delay. The primary AI risk is API key theft enabling unauthorized LLM usage and cost abuse against your account.
What is the risk?
Medium severity with elevated AI-specific risk. Contributor-level access requirement limits exposure on tightly controlled sites, but WordPress installations with open contributor registration or large editorial teams face real risk. Time-based SQLi is fully automatable via SQLMap, making this accessible to non-specialists. The confidentiality-only CVSS impact (C:H) understates the AI risk: WordPress options tables store OpenAI API keys in plaintext, turning a medium-CVSS vuln into a credential compromise vector.
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| taxopress | — | — | No patch |
Do you use taxopress? You're affected.
How severe is it?
What is the attack surface?
What should I do?
6 steps-
Patch immediately: update TaxoPress to the version including commit 1097a22.
-
Rotate the OpenAI API key stored in WordPress options table — do not wait for patching if there is any delay.
-
Restrict contributor metabox access for taxonomy management (Admin > TaxoPress settings).
-
Query wp_options for 'taxopress' and 'openai' entries to identify exposed credentials and assess blast radius.
-
Detection: monitor admin-ajax.php for repeated requests with 'getTermsForAjax' action exhibiting abnormal response time variance — characteristic of time-based SQLi probing.
-
If WAF is deployed, add rule blocking SQLi patterns on that AJAX endpoint.
What does CISA's SSVC say?
Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is CVE-2025-13359?
A time-based SQL injection in the TaxoPress OpenAI WordPress plugin lets any contributor extract the full database, including stored OpenAI API keys. Patch to the latest version immediately or disable the plugin; rotate any exposed OpenAI API keys without delay. The primary AI risk is API key theft enabling unauthorized LLM usage and cost abuse against your account.
Is CVE-2025-13359 actively exploited?
No confirmed active exploitation of CVE-2025-13359 has been reported, but organizations should still patch proactively.
How to fix CVE-2025-13359?
1. Patch immediately: update TaxoPress to the version including commit 1097a22. 2. Rotate the OpenAI API key stored in WordPress options table — do not wait for patching if there is any delay. 3. Restrict contributor metabox access for taxonomy management (Admin > TaxoPress settings). 4. Query wp_options for 'taxopress' and 'openai' entries to identify exposed credentials and assess blast radius. 5. Detection: monitor admin-ajax.php for repeated requests with 'getTermsForAjax' action exhibiting abnormal response time variance — characteristic of time-based SQLi probing. 6. If WAF is deployed, add rule blocking SQLi patterns on that AJAX endpoint.
What systems are affected by CVE-2025-13359?
This vulnerability affects the following AI/ML architecture patterns: WordPress AI plugin integrations, LLM API key management in CMS environments, CMS-based AI content pipelines.
What is the CVSS score for CVE-2025-13359?
CVE-2025-13359 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.30%.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0010.001 AI Software AML.T0025 Exfiltration via Cyber Means AML.T0034 Cost Harvesting AML.T0049 Exploit Public-Facing Application AML.T0055 Unsecured Credentials Compliance Controls Affected
What are the technical details?
Original Advisory
The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the "getTermsForAjax" function in all versions up to, and including, 3.40.1. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database granted they have metabox access for the taxonomy (enabled by default for contributors).
Exploitation Scenario
Attacker registers as a contributor on a WordPress site using TaxoPress with OpenAI integration enabled. Using a time-based SQLi payload injected into the getTermsForAjax AJAX endpoint (metabox access enabled by default), they enumerate the wp_options table to extract the stored OpenAI API key. With the stolen key, the attacker makes unauthorized OpenAI API calls for cost harvesting, accesses any fine-tuned models tied to that key, or pivots to other services if the API key is reused. Total time from contributor access to key extraction: under 30 minutes with automated tooling.
Weaknesses (CWE)
CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
- [Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
- [Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]
Source: MITRE CWE corpus.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References
Timeline
Related Vulnerabilities
CVE-2026-21858 10.0 n8n: Input Validation flaw enables exploitation
Same attack type: Data Extraction CVE-2025-53767 10.0 Azure OpenAI: SSRF EoP, no auth required (CVSS 10)
Same attack type: Data Extraction CVE-2025-2828 10.0 LangChain RequestsToolkit: SSRF exposes cloud metadata
Same attack type: Data Extraction CVE-2023-3765 10.0 MLflow: path traversal allows arbitrary file read
Same attack type: Data Extraction CVE-2024-12909 10.0 llama-index finchat: SQL injection enables RCE
Same attack type: Data Extraction