Description
The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "taxopress_merge_terms_batch" function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms.
Published: 2025-12-03
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Taxonomy Term Manipulation via Authorization Bypass
Action: Patch
AI Analysis

Impact

The TaxoPress "Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI" plugin contains an authorization bypass in the "taxopress_merge_terms_batch" function. The missing authorization check (CWE‑862) allows an authenticated user who has subscriber rights or higher to merge or delete taxonomy terms that they normally would not be permitted to alter. This elevation of privilege can corrupt content classification, disrupt site navigation, and undermine the integrity of the WordPress taxonomy system.

Affected Systems

WordPress installations running the TaxoPress plugin version 3.40.1 or earlier are impacted. The vulnerability is not present in versions newer than 3.40.1, and the issue applies to all supported WordPress versions that host the affected plugin.

Risk and Exploitability

The CVSS base score of 4.3 indicates moderate risk, while an EPSS score of less than 1 percent shows that exploitation attempts are expected to be rare. The vulnerability is not listed in the CISA KEV catalog. An attacker would need legitimate subscriber level credentials to perform the bypass and manipulate taxonomy terms, so the attack vector is largely confined to authenticated site use. The lack of network or remote code execution vectors reduces the likelihood of widespread compromise.

Generated by OpenCVE AI on April 22, 2026 at 16:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the TaxoPress plugin to any version newer than 3.40.1 to remove the missing authorization check
  • Re‑evaluate role capabilities and remove or restrict the ability for subscriber-level users to access taxonomy merge or delete actions if possible
  • Enable logging or monitoring of taxonomy changes to detect any unauthorized modifications

Generated by OpenCVE AI on April 22, 2026 at 16:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Dec 2025 18:45:00 +0000

Type Values Removed Values Added
First Time appeared Taxopress
Taxopress taxopress
CPEs cpe:2.3:a:taxopress:taxopress:*:*:*:*:*:wordpress:*:*
Vendors & Products Taxopress
Taxopress taxopress

Thu, 04 Dec 2025 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Wordpress
Wordpress wordpress
Vendors & Products Wordpress
Wordpress wordpress

Wed, 03 Dec 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 03 Dec 2025 14:00:00 +0000

Type Values Removed Values Added
Description The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "taxopress_merge_terms_batch" function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms.
Title Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Taxonomy Term Manipulation
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Taxopress Taxopress
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:28.761Z

Reserved: 2025-11-18T11:43:32.191Z

Link: CVE-2025-13354

cve-icon Vulnrichment

Updated: 2025-12-03T14:50:36.634Z

cve-icon NVD

Status : Analyzed

Published: 2025-12-03T14:15:46.930

Modified: 2025-12-05T18:41:56.647

Link: CVE-2025-13354

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:30:22Z

Weaknesses