CVE-2025-13354: The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization
Summary
A WordPress plugin called AI Autotagger with OpenAI has a security flaw in versions up to 3.40.1 where it fails to properly check if users have permission to perform certain actions. This authorization bypass (a failure to verify that someone is allowed to do something) allows authenticated attackers with basic subscriber-level access to merge or delete taxonomy terms (categories and tags used to organize content) that they shouldn't be able to modify.
Solution / Mitigation
A patch is available. According to the source, users should update to the version fixed in the GitHub commit referenced at https://github.com/TaxoPress/TaxoPress/commit/5eb2cee861ebd109152eea968aca0259c078c8b0.
Vulnerability Details
4.3(medium)
EPSS: 0.0%
Classification
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2025-13354
First tracked: February 15, 2026 at 08:49 PM
Classified by LLM (prompt v3) · confidence: 72%