CVE-2025-13359 is a SQL Injection vulnerability classified under CWE-89 affecting the WordPress plugin 'Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI' up to version 3.40.1. The vulnerability arises from insufficient escaping and preparation of SQL queries in the 'getTermsForAjax' function, which processes user-supplied parameters. Authenticated users with contributor-level privileges or higher can exploit this flaw because contributors have default metabox access to taxonomies, enabling them to inject additional SQL commands into existing queries. The injection is time-based, allowing attackers to infer data by measuring response delays, facilitating extraction of sensitive information from the backend database. The attack vector requires no user interaction beyond authentication, and the vulnerability does not affect integrity or availability but compromises confidentiality. While no known exploits are currently in the wild, the vulnerability's medium CVSS score (6.5) reflects its moderate ease of exploitation and potential impact. The plugin is used in WordPress sites that rely on AI-powered taxonomy management, making affected sites vulnerable to data breaches if unpatched.

The primary impact of this vulnerability is unauthorized disclosure of sensitive data stored in the WordPress database, including potentially user information, site configuration, or other confidential content. Since the vulnerability allows SQL Injection by authenticated contributors, attackers can leverage compromised or malicious contributor accounts to escalate data access without requiring administrator privileges. This can lead to privacy violations, intellectual property theft, or further pivoting within the network if database credentials or other sensitive data are exposed. Although the vulnerability does not directly affect data integrity or site availability, the confidentiality breach can undermine trust and compliance with data protection regulations. Organizations running WordPress sites with this plugin are at risk of targeted attacks, especially if contributor accounts are not tightly controlled or monitored.

1. Immediately update the 'Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI' plugin to a patched version once available. 2. If a patch is not yet available, restrict contributor-level access or disable metabox access for contributors to taxonomies to reduce attack surface. 3. Implement strict input validation and sanitization on all user-supplied parameters in the plugin's code, especially in the 'getTermsForAjax' function. 4. Employ Web Application Firewalls (WAFs) with SQL Injection detection rules tailored to WordPress environments to block suspicious queries. 5. Monitor logs for unusual database query patterns or timing anomalies indicative of time-based SQL Injection attempts. 6. Enforce the principle of least privilege for user roles, auditing contributor accounts regularly. 7. Consider database-level protections such as limiting the database user's permissions to only necessary operations. 8. Conduct security reviews and penetration testing focused on plugin vulnerabilities before deploying updates.