CVE-2025-13354 is a medium-severity authorization bypass vulnerability identified in the Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress, maintained by stevejburge. The vulnerability affects all plugin versions up to and including 3.40.1. The root cause lies in the taxopress_merge_terms_batch function, which does not properly verify whether the authenticated user has the necessary permissions to perform merge or delete operations on taxonomy terms. This improper authorization check allows any authenticated user with subscriber-level privileges or higher to merge or delete arbitrary taxonomy terms, actions typically reserved for higher-privileged roles such as editors or administrators. The vulnerability does not require user interaction and can be exploited remotely over the network. While the vulnerability does not expose confidential data or disrupt availability, it compromises the integrity of the taxonomy data structure, potentially affecting site content organization, SEO, and user navigation. The CVSS v3.1 base score is 4.3, reflecting low attack complexity but limited impact scope. No public exploits have been reported so far. The vulnerability was published on December 3, 2025, with no official patches currently linked, so users must monitor vendor updates or apply temporary mitigations.

The primary impact of CVE-2025-13354 is the unauthorized modification of taxonomy terms within WordPress sites using the vulnerable plugin. This can lead to unintended merging or deletion of categories, tags, or custom taxonomies, which may disrupt website content organization, degrade user experience, and negatively affect SEO rankings. For organizations relying on structured content classification, this could impair content discoverability and management workflows. Although the vulnerability does not directly expose sensitive data or cause denial of service, the integrity compromise can facilitate further attacks by obfuscating content or hiding malicious posts within altered taxonomies. Attackers with subscriber-level access, often easier to obtain than administrative credentials, can exploit this vulnerability, increasing risk especially on sites with many registered users. The scope is limited to WordPress sites using this specific plugin, but given WordPress's global popularity, the potential attack surface is significant. No known exploits in the wild reduce immediate risk, but the vulnerability should be addressed promptly to prevent future exploitation.

Organizations should immediately verify if they use the Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin and identify the installed version. Since no official patch is currently linked, administrators should restrict subscriber-level user capabilities as a temporary mitigation, limiting the ability of low-privilege users to access or trigger taxonomy management functions. Implementing a Web Application Firewall (WAF) with custom rules to detect and block requests invoking the taxopress_merge_terms_batch function from unauthorized users can reduce risk. Monitoring logs for unusual taxonomy merge or deletion activities is recommended to detect exploitation attempts. Site administrators should follow the plugin vendor's updates closely and apply patches immediately upon release. Additionally, consider limiting plugin usage to trusted users and disabling or removing the plugin if it is not essential. Regular backups of taxonomy data and site content will aid recovery if unauthorized changes occur.