CVE-2025-13354: CWE-862 Missing Authorization in stevejburge Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI
CVE-2025-13354 is a medium severity authorization bypass vulnerability in the WordPress plugin 'Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI' by stevejburge, affecting all versions up to 3. 40. 1. The flaw exists because the plugin fails to properly verify user authorization in the 'taxopress_merge_terms_batch' function, allowing authenticated users with subscriber-level access or higher to merge or delete arbitrary taxonomy terms. Exploitation does not require user interaction and can be performed remotely. While it does not impact confidentiality or availability, it compromises integrity by allowing unauthorized modification of taxonomy data. No known exploits are currently reported in the wild. European organizations using this plugin on WordPress sites may face risks to content categorization and site management integrity. Mitigation involves updating the plugin once a patch is released or restricting subscriber permissions and monitoring taxonomy changes closely. Countries with high WordPress adoption and significant digital content management, such as Germany, the UK, France, Italy, and the Netherlands, are most likely to be affected.
AI Analysis
Technical Summary
CVE-2025-13354 is an authorization bypass vulnerability classified under CWE-862 affecting the 'Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI' WordPress plugin developed by stevejburge. The vulnerability arises from improper authorization checks in the 'taxopress_merge_terms_batch' function, which is responsible for merging taxonomy terms in WordPress. This flaw allows any authenticated user with subscriber-level privileges or higher to perform actions normally restricted to administrators or editors, specifically merging or deleting arbitrary taxonomy terms. Since WordPress taxonomy terms are critical for organizing content, unauthorized modifications can disrupt site structure, SEO, and user navigation. The vulnerability is remotely exploitable without user interaction and requires only low privileges, increasing the attack surface. The CVSS 3.1 base score is 4.3 (medium), reflecting low impact on confidentiality and availability but a partial impact on integrity. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The plugin is widely used in WordPress environments that leverage AI for content tagging, making this a relevant threat to many websites relying on automated taxonomy management.
Potential Impact
For European organizations, the primary impact is on the integrity of website content management systems using this plugin. Unauthorized merging or deletion of taxonomy terms can lead to misclassification of content, broken navigation structures, and degraded user experience, potentially harming brand reputation and SEO rankings. While the vulnerability does not expose sensitive data or cause service outages, it undermines trust in content accuracy and site administration. Organizations relying heavily on WordPress for digital presence, especially those using AI-driven tagging plugins, may face operational disruptions and increased administrative overhead to detect and correct unauthorized taxonomy changes. This could be particularly impactful for media companies, e-commerce platforms, and public sector websites where content categorization is critical. The ease of exploitation by low-privilege users increases risk from insider threats or compromised subscriber accounts.
Mitigation Recommendations
1. Monitor for updates from the plugin vendor and apply patches immediately once available. 2. Until a patch is released, restrict subscriber-level user capabilities by using role management plugins to limit permissions related to taxonomy management. 3. Implement logging and alerting on taxonomy term changes to detect unauthorized merges or deletions promptly. 4. Conduct regular audits of taxonomy data integrity and user roles to identify suspicious activity. 5. Consider temporarily disabling or replacing the vulnerable plugin with alternative solutions that enforce proper authorization. 6. Educate site administrators and content managers about the risk and encourage strong password policies and multi-factor authentication to reduce the risk of account compromise. 7. Use web application firewalls (WAFs) to monitor and potentially block suspicious requests targeting the vulnerable function.
Affected Countries
Germany, United Kingdom, France, Italy, Netherlands, Spain, Poland, Sweden
CVE-2025-13354: CWE-862 Missing Authorization in stevejburge Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI
Description
CVE-2025-13354 is a medium severity authorization bypass vulnerability in the WordPress plugin 'Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI' by stevejburge, affecting all versions up to 3. 40. 1. The flaw exists because the plugin fails to properly verify user authorization in the 'taxopress_merge_terms_batch' function, allowing authenticated users with subscriber-level access or higher to merge or delete arbitrary taxonomy terms. Exploitation does not require user interaction and can be performed remotely. While it does not impact confidentiality or availability, it compromises integrity by allowing unauthorized modification of taxonomy data. No known exploits are currently reported in the wild. European organizations using this plugin on WordPress sites may face risks to content categorization and site management integrity. Mitigation involves updating the plugin once a patch is released or restricting subscriber permissions and monitoring taxonomy changes closely. Countries with high WordPress adoption and significant digital content management, such as Germany, the UK, France, Italy, and the Netherlands, are most likely to be affected.
AI-Powered Analysis
Technical Analysis
CVE-2025-13354 is an authorization bypass vulnerability classified under CWE-862 affecting the 'Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI' WordPress plugin developed by stevejburge. The vulnerability arises from improper authorization checks in the 'taxopress_merge_terms_batch' function, which is responsible for merging taxonomy terms in WordPress. This flaw allows any authenticated user with subscriber-level privileges or higher to perform actions normally restricted to administrators or editors, specifically merging or deleting arbitrary taxonomy terms. Since WordPress taxonomy terms are critical for organizing content, unauthorized modifications can disrupt site structure, SEO, and user navigation. The vulnerability is remotely exploitable without user interaction and requires only low privileges, increasing the attack surface. The CVSS 3.1 base score is 4.3 (medium), reflecting low impact on confidentiality and availability but a partial impact on integrity. No patches or exploits are currently publicly available, but the vulnerability is published and should be addressed promptly. The plugin is widely used in WordPress environments that leverage AI for content tagging, making this a relevant threat to many websites relying on automated taxonomy management.
Potential Impact
For European organizations, the primary impact is on the integrity of website content management systems using this plugin. Unauthorized merging or deletion of taxonomy terms can lead to misclassification of content, broken navigation structures, and degraded user experience, potentially harming brand reputation and SEO rankings. While the vulnerability does not expose sensitive data or cause service outages, it undermines trust in content accuracy and site administration. Organizations relying heavily on WordPress for digital presence, especially those using AI-driven tagging plugins, may face operational disruptions and increased administrative overhead to detect and correct unauthorized taxonomy changes. This could be particularly impactful for media companies, e-commerce platforms, and public sector websites where content categorization is critical. The ease of exploitation by low-privilege users increases risk from insider threats or compromised subscriber accounts.
Mitigation Recommendations
1. Monitor for updates from the plugin vendor and apply patches immediately once available. 2. Until a patch is released, restrict subscriber-level user capabilities by using role management plugins to limit permissions related to taxonomy management. 3. Implement logging and alerting on taxonomy term changes to detect unauthorized merges or deletions promptly. 4. Conduct regular audits of taxonomy data integrity and user roles to identify suspicious activity. 5. Consider temporarily disabling or replacing the vulnerable plugin with alternative solutions that enforce proper authorization. 6. Educate site administrators and content managers about the risk and encourage strong password policies and multi-factor authentication to reduce the risk of account compromise. 7. Use web application firewalls (WAFs) to monitor and potentially block suspicious requests targeting the vulnerable function.
Affected Countries
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- Wordfence
- Date Reserved
- 2025-11-18T11:43:32.191Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 6930444551392e1c8b19b537
Added to database: 12/3/2025, 2:08:05 PM
Last enriched: 12/10/2025, 2:51:24 PM
Last updated: 1/18/2026, 5:05:12 PM
Views: 69
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2026-1126: Unrestricted Upload in lwj flow
MediumCVE-2026-1125: Command Injection in D-Link DIR-823X
MediumCVE-2026-1124: SQL Injection in Yonyou KSOA
MediumCVE-2026-0863: CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')
HighCVE-2026-1123: SQL Injection in Yonyou KSOA
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.