CVE-2025-13354 is an authorization bypass vulnerability classified under CWE-862 affecting the 'Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI' WordPress plugin developed by stevejburge. The vulnerability arises because the plugin does not properly check whether a user is authorized to perform certain actions within the 'taxopress_merge_terms_batch' function. Specifically, this function allows merging or deleting taxonomy terms, which are critical for organizing content in WordPress. The flaw permits any authenticated user with at least subscriber-level privileges to bypass authorization controls and manipulate taxonomy terms arbitrarily. This can lead to unauthorized modification or deletion of categories, tags, or other taxonomies, potentially disrupting site content organization and user experience. The vulnerability is remotely exploitable over the network without requiring user interaction beyond authentication. The CVSS v3.1 base score is 4.3 (medium severity), reflecting low complexity and no impact on confidentiality or availability, but a partial impact on integrity. No patches or fixes have been released at the time of this report, and no active exploitation has been observed. The vulnerability affects all versions up to and including 3.40.1 of the plugin. Given the widespread use of WordPress in Europe and the popularity of taxonomy management plugins, this vulnerability poses a risk to websites relying on this plugin for content categorization and tagging.

For European organizations, this vulnerability primarily threatens the integrity of website content taxonomy. Unauthorized merging or deletion of taxonomy terms can disrupt content categorization, impair navigation, and degrade user experience on corporate or public-facing websites. This could indirectly affect brand reputation and user trust. While the vulnerability does not expose sensitive data or cause denial of service, the ability for low-privilege authenticated users to alter site structure could facilitate further attacks, such as SEO manipulation or content spoofing. Organizations relying on WordPress for e-commerce, news, or informational portals may face operational disruptions. Additionally, regulatory compliance related to website integrity and content management (e.g., under GDPR for accurate information presentation) could be impacted if unauthorized changes are not detected and corrected promptly. The risk is heightened for organizations with many subscriber-level users or where user account management is less stringent.

European organizations should immediately audit their WordPress installations to identify if the vulnerable plugin and versions are in use. Until an official patch is released, mitigation can include: 1) Restricting subscriber-level user capabilities by using role management plugins to limit access to taxonomy management functions. 2) Implementing Web Application Firewall (WAF) rules to detect and block requests targeting the 'taxopress_merge_terms_batch' function or suspicious taxonomy modification attempts. 3) Monitoring logs for unusual taxonomy term merges or deletions and setting up alerts for such activities. 4) Temporarily disabling or removing the vulnerable plugin if taxonomy management is not critical or can be handled by alternative secure plugins. 5) Enforcing strong authentication and user account hygiene to reduce the number of potentially exploitable accounts. 6) Preparing to apply vendor patches promptly once available and testing updates in staging environments before production deployment. 7) Educating site administrators about the risk and signs of exploitation to enable rapid response.