CVE-2025-13922: SQL Injection exposes database

CISO Take

If your organization runs WordPress with the TaxoPress AI Autotagger (Simple Tags) plugin, patch to 3.40.2+ immediately — any Contributor-level user with AI metabox permissions can exfiltrate your entire WordPress database via time-based blind SQL injection, including stored OpenAI API keys. As an interim workaround, revoke AI metabox permissions from Contributor roles and rotate any OpenAI API keys stored in wp_options.

What is the risk?

Medium-high operational risk despite the 6.5 CVSS score. Attack complexity is low and no user interaction is required, making exploitation straightforward for any attacker who holds or compromises Contributor credentials. The high confidentiality impact exposes the full database — user hashes, PII, session tokens, and stored API keys. The AI integration elevates risk beyond a standard WordPress SQLi: extracted OpenAI API keys enable secondary attacks including cost harvesting, unauthorized inference, and potential access to organization-specific fine-tuned models or accumulated prompt history.

How severe is it?

CVSS 3.1

6.5 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 16% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

Exploit Available

Exploitation: MEDIUM

Sophistication

Trivial

Exploitation Confidence

medium

○ Public PoC indexed (trickest/cve)

Composite signal derived from CISA KEV, VulnCheck KEV, CISA SSVC, EPSS, Metasploit, Exploit-DB, trickest/cve, Nuclei templates, and inthewild.io exploitation reports.

What is the attack surface?

AV Network

AC Low

PR Low

UI None

S Unchanged

C High

I None

A None

What should I do?

6 steps

PATCH

Update Simple Tags / TaxoPress to 3.40.2+ via WP admin or wp plugin update simple-tags. Verify with wp plugin get simple-tags --field=version.
WORKAROUND (if patching delayed): Disable AI Autotagger feature or remove AI metabox capability from Contributor role via wp role remove-cap contributor manage_options or equivalent.
ROTATE KEYS

Immediately rotate any OpenAI API keys stored in WordPress. Restrict regenerated keys to WordPress server IP via OpenAI API key settings.
AUDIT ACCOUNTS

Review all Contributor-level accounts — remove unnecessary elevations; enforce least privilege on AI metabox permissions.
DETECT

Monitor admin-ajax.php access logs for repeated requests with 5–10 second response time patterns (time-based SQLi signature). Alert on SLEEP, BENCHMARK, or WAITFOR DELAY strings in POST body.
WAF

Deploy rule blocking SQL timing functions in the existing_terms_orderby parameter. Cloudflare, ModSecurity, and Wordfence all support parameter-level SQLi rules.

What does CISA's SSVC say?

Decision Track

Exploitation none

Automatable No

Technical Impact total

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Data Extraction Auth Bypass Plugin API AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0040 - AI Model Inference API Access AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art.9 - Risk Management System Article 15 - Accuracy, Robustness and Cybersecurity

ISO 42001

8.4 - AI System Risk Management A.6.2.6 - Security of AI System

NIST AI RMF

GOVERN-1.7 - Organizational Processes for AI Risk Management MANAGE 2.2 - Mechanisms to sustain value of deployed AI systems MAP-5.1 - Likelihood and Magnitude of Identified Impacts

OWASP LLM Top 10

LLM07 - Insecure Plugin Design LLM07:2023 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-13922?

If your organization runs WordPress with the TaxoPress AI Autotagger (Simple Tags) plugin, patch to 3.40.2+ immediately — any Contributor-level user with AI metabox permissions can exfiltrate your entire WordPress database via time-based blind SQL injection, including stored OpenAI API keys. As an interim workaround, revoke AI metabox permissions from Contributor roles and rotate any OpenAI API keys stored in wp_options.

Is CVE-2025-13922 actively exploited?

Proof-of-concept exploit code is publicly available for CVE-2025-13922, increasing the risk of exploitation.

How to fix CVE-2025-13922?

1. PATCH: Update Simple Tags / TaxoPress to 3.40.2+ via WP admin or `wp plugin update simple-tags`. Verify with `wp plugin get simple-tags --field=version`. 2. WORKAROUND (if patching delayed): Disable AI Autotagger feature or remove AI metabox capability from Contributor role via `wp role remove-cap contributor manage_options` or equivalent. 3. ROTATE KEYS: Immediately rotate any OpenAI API keys stored in WordPress. Restrict regenerated keys to WordPress server IP via OpenAI API key settings. 4. AUDIT ACCOUNTS: Review all Contributor-level accounts — remove unnecessary elevations; enforce least privilege on AI metabox permissions. 5. DETECT: Monitor admin-ajax.php access logs for repeated requests with 5–10 second response time patterns (time-based SQLi signature). Alert on `SLEEP`, `BENCHMARK`, or `WAITFOR DELAY` strings in POST body. 6. WAF: Deploy rule blocking SQL timing functions in the `existing_terms_orderby` parameter. Cloudflare, ModSecurity, and Wordfence all support parameter-level SQLi rules.

What systems are affected by CVE-2025-13922?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI plugin integrations, CMS-based AI content classification pipelines, OpenAI API integrations with stored credentials, AI-augmented content management systems.

What is the CVSS score for CVE-2025-13922?

CVE-2025-13922 has a CVSS v3.1 base score of 6.5 (MEDIUM). The EPSS exploitation probability is 0.25%.

What is the AI security impact?

Affected AI Architectures

WordPress AI plugin integrationsCMS-based AI content classification pipelinesOpenAI API integrations with stored credentialsAI-augmented content management systems

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0025 Exfiltration via Cyber Means

AML.T0040 AI Model Inference API Access

AML.T0049 Exploit Public-Facing Application

AML.T0055 Unsecured Credentials

Compliance Controls Affected

EU AI Act: Art.9, Article 15

ISO 42001: 8.4, A.6.2.6

NIST AI RMF: GOVERN-1.7, MANAGE 2.2, MAP-5.1

OWASP LLM Top 10: LLM07, LLM07:2023

What are the technical details?

Original Advisory

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'existing_terms_orderby' parameter in the AI preview AJAX endpoint in all versions up to, and including, 3.40.1. This is due to insufficient escaping on user-supplied parameters and lack of SQL query parameterization. This makes it possible for authenticated attackers, with Contributor-level access and above who have AI metabox permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, cause performance degradation, or enable data inference through time-based techniques.

Exploitation Scenario

An attacker registers a free WordPress account or compromises a low-privileged Contributor credential (via credential stuffing or phishing). With AI metabox permissions enabled, they send crafted AJAX POST requests to `/wp-admin/admin-ajax.php` injecting a time-based payload into `existing_terms_orderby`: e.g., `name,(CASE WHEN (SUBSTRING((SELECT option_value FROM wp_options WHERE option_name='openai_api_key'),1,1)='s') THEN SLEEP(5) ELSE 0 END)`. By measuring response latency across thousands of automated requests, the attacker reconstructs database contents character by character — extracting wp_users password hashes, stored OpenAI API keys, Stripe keys, and any PII in the database. The extracted OpenAI key is then used for unauthorized inference at the victim's expense, or sold. Total time to extract a 32-character API key via automated tooling: under 30 minutes on a typical shared WordPress host.

Weaknesses (CWE)

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

CWE-89 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection'): The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

[Architecture and Design] Use a vetted library or framework that does not allow this weakness to occur or provides constructs that make this weakness easier to avoid [REF-1482]. For example, consider using persistence layers such as Hibernate or Enterprise Java Beans, which can provide significant protection against SQL injection if used properly.
[Architecture and Design] If available, use structured mechanisms that automatically enforce the separation between data and code. These mechanisms may be able to provide the relevant quoting, encoding, and validation automatically, instead of relying on the developer to provide this capability at every point where output is generated. Process SQL queries using prepared statements, parameterized queries, or stored procedures. These features should accept parameters or variables and support strong typing. Do not dynamically construct and execute query strings within these features using "exec" or similar functionality, since this may re-introduce the possibility of SQL injection. [REF-867]

Source: MITRE CWE corpus.