AI Threat Alert AI Threat Alert

CVE-2025-13922: AI component: SQL Injection exposes database

MEDIUM PoC AVAILABLE
Published December 6, 2025
CISO Take

If your organization runs WordPress with the TaxoPress AI Autotagger (Simple Tags) plugin, patch to 3.40.2+ immediately — any Contributor-level user with AI metabox permissions can exfiltrate your entire WordPress database via time-based blind SQL injection, including stored OpenAI API keys. As an interim workaround, revoke AI metabox permissions from Contributor roles and rotate any OpenAI API keys stored in wp_options.

Risk Assessment

Medium-high operational risk despite the 6.5 CVSS score. Attack complexity is low and no user interaction is required, making exploitation straightforward for any attacker who holds or compromises Contributor credentials. The high confidentiality impact exposes the full database — user hashes, PII, session tokens, and stored API keys. The AI integration elevates risk beyond a standard WordPress SQLi: extracted OpenAI API keys enable secondary attacks including cost harvesting, unauthorized inference, and potential access to organization-specific fine-tuned models or accumulated prompt history.

Severity & Risk

CVSS 3.1
6.5 / 10
EPSS
0.0%
chance of exploitation in 30 days
Higher than 6% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
Exploit Available
Exploitation: MEDIUM
Sophistication
Trivial
Exploitation Confidence
medium
Public PoC indexed (trickest/cve)
Composite signal derived from CISA KEV, CISA SSVC, EPSS, trickest/cve, and Nuclei templates.

Attack Surface

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C High
I None
A None

Recommended Action

6 steps

  1. PATCH

    Update Simple Tags / TaxoPress to 3.40.2+ via WP admin or wp plugin update simple-tags. Verify with wp plugin get simple-tags --field=version.

  2. WORKAROUND (if patching delayed): Disable AI Autotagger feature or remove AI metabox capability from Contributor role via wp role remove-cap contributor manage_options or equivalent.

  3. ROTATE KEYS

    Immediately rotate any OpenAI API keys stored in WordPress. Restrict regenerated keys to WordPress server IP via OpenAI API key settings.

  4. AUDIT ACCOUNTS

    Review all Contributor-level accounts — remove unnecessary elevations; enforce least privilege on AI metabox permissions.

  5. DETECT

    Monitor admin-ajax.php access logs for repeated requests with 5–10 second response time patterns (time-based SQLi signature). Alert on SLEEP, BENCHMARK, or WAITFOR DELAY strings in POST body.

  6. WAF

    Deploy rule blocking SQL timing functions in the existing_terms_orderby parameter. Cloudflare, ModSecurity, and Wordfence all support parameter-level SQLi rules.

CISA SSVC Assessment

Decision Track
Exploitation none
Automatable No
Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

Classification

Data Extraction Auth Bypass Plugin API AML.T0012 AML.T0025 AML.T0040 AML.T0049 AML.T0055

Compliance Impact

This CVE is relevant to:

EU AI Act
Art.9 - Risk Management System Article 15 - Accuracy, Robustness and Cybersecurity
ISO 42001
8.4 - AI System Risk Management A.6.2.6 - Security of AI System
NIST AI RMF
GOVERN-1.7 - Organizational Processes for AI Risk Management MANAGE 2.2 - Mechanisms to sustain value of deployed AI systems MAP-5.1 - Likelihood and Magnitude of Identified Impacts
OWASP LLM Top 10
LLM07 - Insecure Plugin Design LLM07:2023 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-13922?

If your organization runs WordPress with the TaxoPress AI Autotagger (Simple Tags) plugin, patch to 3.40.2+ immediately — any Contributor-level user with AI metabox permissions can exfiltrate your entire WordPress database via time-based blind SQL injection, including stored OpenAI API keys. As an interim workaround, revoke AI metabox permissions from Contributor roles and rotate any OpenAI API keys stored in wp_options.

Is CVE-2025-13922 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-13922, increasing the risk of exploitation.

How to fix CVE-2025-13922?

1. PATCH: Update Simple Tags / TaxoPress to 3.40.2+ via WP admin or `wp plugin update simple-tags`. Verify with `wp plugin get simple-tags --field=version`. 2. WORKAROUND (if patching delayed): Disable AI Autotagger feature or remove AI metabox capability from Contributor role via `wp role remove-cap contributor manage_options` or equivalent. 3. ROTATE KEYS: Immediately rotate any OpenAI API keys stored in WordPress. Restrict regenerated keys to WordPress server IP via OpenAI API key settings. 4. AUDIT ACCOUNTS: Review all Contributor-level accounts — remove unnecessary elevations; enforce least privilege on AI metabox permissions. 5. DETECT: Monitor admin-ajax.php access logs for repeated requests with 5–10 second response time patterns (time-based SQLi signature). Alert on `SLEEP`, `BENCHMARK`, or `WAITFOR DELAY` strings in POST body. 6. WAF: Deploy rule blocking SQL timing functions in the `existing_terms_orderby` parameter. Cloudflare, ModSecurity, and Wordfence all support parameter-level SQLi rules.

What systems are affected by CVE-2025-13922?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI plugin integrations, CMS-based AI content classification pipelines, OpenAI API integrations with stored credentials, AI-augmented content management systems.

What is the CVSS score for CVE-2025-13922?

CVE-2025-13922 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.02%.

Technical Details

NVD Description

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'existing_terms_orderby' parameter in the AI preview AJAX endpoint in all versions up to, and including, 3.40.1. This is due to insufficient escaping on user-supplied parameters and lack of SQL query parameterization. This makes it possible for authenticated attackers, with Contributor-level access and above who have AI metabox permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, cause performance degradation, or enable data inference through time-based techniques.

Exploitation Scenario

An attacker registers a free WordPress account or compromises a low-privileged Contributor credential (via credential stuffing or phishing). With AI metabox permissions enabled, they send crafted AJAX POST requests to `/wp-admin/admin-ajax.php` injecting a time-based payload into `existing_terms_orderby`: e.g., `name,(CASE WHEN (SUBSTRING((SELECT option_value FROM wp_options WHERE option_name='openai_api_key'),1,1)='s') THEN SLEEP(5) ELSE 0 END)`. By measuring response latency across thousands of automated requests, the attacker reconstructs database contents character by character — extracting wp_users password hashes, stored OpenAI API keys, Stripe keys, and any PII in the database. The extracted OpenAI key is then used for unauthorized inference at the victim's expense, or sold. Total time to extract a 32-character API key via automated tooling: under 30 minutes on a typical shared WordPress host.

Weaknesses (CWE)

CWE-89

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published
December 6, 2025
Last Modified
December 8, 2025
First Seen
December 6, 2025

Related Vulnerabilities

CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Data Extraction
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Data Extraction
CRITICAL CVE-2023-3765 10.0

MLflow: path traversal allows arbitrary file read

Same attack type: Data Extraction
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Data Extraction
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Auth Bypass
Back to Threat Feed