CVE-2025-13359 — MEDIUM (CVSS 6.5) AI Security Vulnerability

CISO Take

A time-based SQL injection in the TaxoPress OpenAI WordPress plugin lets any contributor extract the full database, including stored OpenAI API keys. Patch to the latest version immediately or disable the plugin; rotate any exposed OpenAI API keys without delay. The primary AI risk is API key theft enabling unauthorized LLM usage and cost abuse against your account.

Affected Systems

Package	Ecosystem	Vulnerable Range	Patched
taxopress	—	—	No patch

Do you use taxopress? You're affected.

Severity & Risk

CVSS 3.1

6.5 / 10

EPSS

N/A

KEV Status

Not in KEV

Sophistication

Moderate

Recommended Action

1. Patch immediately: update TaxoPress to the version including commit 1097a22. 2. Rotate the OpenAI API key stored in WordPress options table — do not wait for patching if there is any delay. 3. Restrict contributor metabox access for taxonomy management (Admin > TaxoPress settings). 4. Query wp_options for 'taxopress' and 'openai' entries to identify exposed credentials and assess blast radius. 5. Detection: monitor admin-ajax.php for repeated requests with 'getTermsForAjax' action exhibiting abnormal response time variance — characteristic of time-based SQLi probing. 6. If WAF is deployed, add rule blocking SQLi patterns on that AJAX endpoint.

Classification

Data Extraction Privacy Violation Plugin API AML.T0010.001 - AI Software AML.T0025 - Exfiltration via Cyber Means AML.T0034 - Cost Harvesting AML.T0049 - Exploit Public-Facing Application AML.T0055 - Unsecured Credentials

Compliance Impact

This CVE is relevant to:

EU AI Act

Art.13 - Transparency and Provision of Information Art.9 - Risk Management System

ISO 42001

A.6.2 - AI System Roles and Responsibilities A.9.3 - AI System Security A.9.4 - System and Application Access Control

NIST AI RMF

GOVERN-1.7 - Processes for AI Risk Management MANAGE-2.2 - Risk Treatment — AI System Security Controls MANAGE-2.4 - Mechanisms for Incident Response

OWASP LLM Top 10

LLM05:2025 - Improper Output Handling / Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure LLM07 - Insecure Plugin Design

Technical Details

NVD Description

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the "getTermsForAjax" function in all versions up to, and including, 3.40.1. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database granted they have metabox access for the taxonomy (enabled by default for contributors).

Exploitation Scenario

Attacker registers as a contributor on a WordPress site using TaxoPress with OpenAI integration enabled. Using a time-based SQLi payload injected into the getTermsForAjax AJAX endpoint (metabox access enabled by default), they enumerate the wp_options table to extract the stored OpenAI API key. With the stolen key, the attacker makes unauthorized OpenAI API calls for cost harvesting, accesses any fine-tuned models tied to that key, or pivots to other services if the API key is reused. Total time from contributor access to key extraction: under 30 minutes with automated tooling.

Weaknesses (CWE)

CWE-89

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References

Timeline

Published

December 3, 2025

Last Modified

December 5, 2025

First Seen

December 3, 2025