CVE-2025-13354
📋 TL;DR
This vulnerability allows authenticated WordPress users with subscriber-level access or higher to merge or delete arbitrary taxonomy terms without proper authorization. It affects all WordPress sites using the TaxoPress plugin up to version 3.40.1. Attackers can manipulate site structure and content organization.
💻 Affected Systems
- TaxoPress - Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress
📦 What is this software?
Taxopress by Taxopress
⚠️ Risk & Real-World Impact
Worst Case
Malicious users could delete or merge critical taxonomy terms, disrupting site navigation, breaking content organization, and potentially causing SEO damage or broken links.
Likely Case
Subscribers or low-privilege users could manipulate tags, categories, or custom taxonomies to disrupt content organization or create confusion.
If Mitigated
With proper access controls and monitoring, impact would be limited to minor taxonomy manipulation that can be restored from backups.
🎯 Exploit Status
Exploitation requires authenticated access with at least subscriber privileges. The vulnerability is in the taxopress_merge_terms_batch function.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 3.40.2 and later
Vendor Advisory: https://github.com/TaxoPress/TaxoPress/commit/5eb2cee861ebd109152eea968aca0259c078c8b0
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find TaxoPress plugin. 4. Click 'Update Now' if update is available. 5. Alternatively, download version 3.40.2+ from WordPress.org and manually update.
🔧 Temporary Workarounds
Disable vulnerable function via code modification
allTemporarily disable the taxopress_merge_terms_batch function until patch can be applied
Edit wp-content/plugins/simple-tags/inc/class.client.php and comment out or remove the taxopress_merge_terms_batch function
Restrict user capabilities
allRemove taxonomy management capabilities from subscriber and contributor roles
Use WordPress role management plugin or add code to functions.php to remove 'manage_categories' capability from low-privilege roles
🧯 If You Can't Patch
- Temporarily deactivate the TaxoPress plugin until patched version is available
- Implement strict monitoring of taxonomy changes and user activity logs
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin → Plugins → Installed Plugins → TaxoPress version. If version is 3.40.1 or lower, you are vulnerable.Check Version:
wp plugin list --name=taxopress --field=version (if WP-CLI installed)Verify Fix Applied:
After updating, verify TaxoPress version is 3.40.2 or higher in WordPress plugins page.📡 Detection & Monitoring
Log Indicators:
- Unusual taxonomy merge or delete operations
- Taxonomy changes from low-privilege user accounts
- Multiple taxonomy modifications in short timeframes
Network Indicators:
- POST requests to /wp-admin/admin-ajax.php with action=taxopress_merge_terms_batch from non-admin users
SIEM Query:
source="wordpress" AND (event_type="taxonomy_merge" OR event_type="taxonomy_delete") AND user_role IN ("subscriber", "contributor")