CVE-2025-13359 is a time-based SQL Injection vulnerability identified in the 'Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI' WordPress plugin, versions up to and including 3.40.1. The vulnerability exists in the getTermsForAjax function, which processes user-supplied parameters without proper escaping or use of prepared statements, allowing an authenticated attacker with contributor-level privileges or higher to inject malicious SQL code. Contributors typically have metabox access for taxonomy management enabled by default, which facilitates exploitation. The attack vector is remote and does not require user interaction, but does require authentication with contributor or higher privileges. The vulnerability allows an attacker to append additional SQL queries to existing ones, enabling extraction of sensitive information from the backend database. The CVSS 3.1 base score is 6.5 (medium severity), reflecting the network attack vector, low attack complexity, and partial privileges required. The vulnerability impacts confidentiality but does not affect integrity or availability. No patches are currently linked, and no known exploits have been reported in the wild. This vulnerability highlights the risks of insufficient input validation and lack of parameterized queries in WordPress plugins, especially those that handle taxonomy and tagging features integrated with AI services like OpenAI.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive data stored within WordPress databases, including potentially user information, content metadata, and other critical business data managed via the affected plugin. Since contributors can exploit this flaw, organizations with active content contributors or editors who have contributor-level access are particularly vulnerable. The exposure of sensitive data could lead to privacy violations under GDPR, reputational damage, and potential regulatory penalties. Additionally, the breach of internal data could facilitate further attacks or unauthorized access. Given the widespread use of WordPress across Europe for corporate, governmental, and SME websites, the impact could be broad, especially in sectors relying heavily on content management systems. The lack of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits once the vulnerability is publicly known.

1. Immediately restrict contributor-level access to trusted users only and review existing user roles to minimize exposure. 2. Monitor and audit contributor activities for suspicious behavior related to taxonomy or tagging functions. 3. Implement Web Application Firewall (WAF) rules to detect and block SQL Injection patterns targeting the getTermsForAjax endpoint. 4. Employ additional input validation and sanitization on all user-supplied parameters related to taxonomy management. 5. Encourage plugin developers or site administrators to update to a patched version once available; in the interim, consider disabling the vulnerable plugin if feasible. 6. Use database activity monitoring tools to detect anomalous query patterns indicative of SQL Injection attempts. 7. Educate content contributors about the risks of privilege misuse and enforce strong authentication mechanisms. 8. Consider isolating WordPress instances or limiting database permissions to reduce the impact of potential data extraction.