AI Threat Alert
CVE-2025-13922
MEDIUMIf your organization runs WordPress with the TaxoPress AI Autotagger (Simple Tags) plugin, patch to 3.40.2+ immediately — any Contributor-level user with AI metabox permissions can exfiltrate your entire WordPress database via time-based blind SQL injection, including stored OpenAI API keys. As an interim workaround, revoke AI metabox permissions from Contributor roles and rotate any OpenAI API keys stored in wp_options.
Severity & Risk
Recommended Action
- 1. PATCH: Update Simple Tags / TaxoPress to 3.40.2+ via WP admin or `wp plugin update simple-tags`. Verify with `wp plugin get simple-tags --field=version`. 2. WORKAROUND (if patching delayed): Disable AI Autotagger feature or remove AI metabox capability from Contributor role via `wp role remove-cap contributor manage_options` or equivalent. 3. ROTATE KEYS: Immediately rotate any OpenAI API keys stored in WordPress. Restrict regenerated keys to WordPress server IP via OpenAI API key settings. 4. AUDIT ACCOUNTS: Review all Contributor-level accounts — remove unnecessary elevations; enforce least privilege on AI metabox permissions. 5. DETECT: Monitor admin-ajax.php access logs for repeated requests with 5–10 second response time patterns (time-based SQLi signature). Alert on `SLEEP`, `BENCHMARK`, or `WAITFOR DELAY` strings in POST body. 6. WAF: Deploy rule blocking SQL timing functions in the `existing_terms_orderby` parameter. Cloudflare, ModSecurity, and Wordfence all support parameter-level SQLi rules.
Classification
Compliance Impact
This CVE is relevant to:
Technical Details
NVD Description
The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'existing_terms_orderby' parameter in the AI preview AJAX endpoint in all versions up to, and including, 3.40.1. This is due to insufficient escaping on user-supplied parameters and lack of SQL query parameterization. This makes it possible for authenticated attackers, with Contributor-level access and above who have AI metabox permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, cause performance degradation, or enable data inference through time-based techniques.
Exploitation Scenario
An attacker registers a free WordPress account or compromises a low-privileged Contributor credential (via credential stuffing or phishing). With AI metabox permissions enabled, they send crafted AJAX POST requests to `/wp-admin/admin-ajax.php` injecting a time-based payload into `existing_terms_orderby`: e.g., `name,(CASE WHEN (SUBSTRING((SELECT option_value FROM wp_options WHERE option_name='openai_api_key'),1,1)='s') THEN SLEEP(5) ELSE 0 END)`. By measuring response latency across thousands of automated requests, the attacker reconstructs database contents character by character — extracting wp_users password hashes, stored OpenAI API keys, Stripe keys, and any PII in the database. The extracted OpenAI key is then used for unauthorized inference at the victim's expense, or sold. Total time to extract a 32-character API key via automated tooling: under 30 minutes on a typical shared WordPress host.
Weaknesses (CWE)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N References
- plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/inc/class.admin.php
- plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/modules/taxopress-ai/classes/TaxoPressAiAjax.php
- plugins.trac.wordpress.org/changeset
- wordfence.com/threat-intel/vulnerabilities/id/f40cc632-c6af-4c8b-a455-76319f7fe151