CVE-2025-11972 identifies an SQL Injection vulnerability in the 'Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI' WordPress plugin developed by stevejburge. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89) specifically through the 'post_types' parameter. This parameter is insufficiently escaped and the SQL queries are not properly prepared, allowing attackers with Editor-level or higher privileges to append arbitrary SQL commands to existing queries. This can lead to unauthorized extraction of sensitive information from the WordPress database, such as user data, configuration details, or other confidential content stored therein. The vulnerability affects all plugin versions up to and including 3.40.0. Exploitation requires authenticated access with elevated privileges but does not require additional user interaction. The CVSS v3.1 score is 4.9 (medium severity), reflecting network attack vector, low attack complexity, high privileges required, no user interaction, and high impact on confidentiality but no impact on integrity or availability. No public exploits have been reported yet. The vulnerability was reserved on October 20, 2025, and published on November 8, 2025. The lack of patches or official fixes at the time of reporting increases the urgency for mitigation. This vulnerability highlights the risks of insufficient input validation and the importance of using parameterized queries or prepared statements in WordPress plugin development.

The primary impact of this vulnerability is unauthorized disclosure of sensitive information stored in the WordPress database. Attackers with Editor-level or higher privileges can exploit the SQL Injection flaw to extract data beyond their normal access rights, potentially exposing user credentials, personal data, or site configuration details. Although the vulnerability does not allow modification or deletion of data (no integrity or availability impact), the confidentiality breach can lead to further attacks such as privilege escalation, phishing, or targeted exploitation of exposed data. Organizations running WordPress sites with this plugin installed are at risk of data leakage, which can damage reputation, violate privacy regulations, and result in compliance penalties. Since exploitation requires elevated privileges, insider threats or compromised Editor accounts pose the greatest risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future attacks. The vulnerability affects all sites using the vulnerable plugin versions, which may be widespread given WordPress's global popularity.

1. Immediately update the 'Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI' plugin to a patched version once available from the vendor. 2. Until a patch is released, restrict Editor-level and higher privileges to trusted users only, minimizing the risk of exploitation. 3. Implement Web Application Firewall (WAF) rules to detect and block suspicious SQL injection patterns targeting the 'post_types' parameter. 4. Review and harden database user permissions to limit data exposure in case of injection attacks. 5. Conduct code audits on custom or third-party plugins to ensure proper use of parameterized queries and input sanitization. 6. Monitor database logs and WordPress activity logs for unusual query patterns or access attempts. 7. Educate site administrators about the risks of privilege escalation and enforce strong authentication mechanisms. 8. Consider disabling or removing the vulnerable plugin if it is not essential to site functionality until a secure update is available.