CVE-2025-11972
Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.0 - Authenticated (Editor+) SQL InjectionThe Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to SQL Injection via the 'post_types' parameter in all versions up to, and including, 3.40.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Editor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
We have discovered 4,321 live websites that are affected by CVE-2025-11972.
Affected Software
| Product |  Simple Tags |
| Category | Wordpress Plugins |
| Vulnerable Domains | 4,321 live websites (34% of Simple Tags install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 90 versions ( 95% of all versions) |
Common Weakness Enumeration
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')Details
- Published - Nov 8, 2025
- Updated - Apr 8, 2026
Credits
- Naoya Takahashi (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-11972 United States | 1,363 websites |
 Japan | 442 websites |
 Germany | 377 websites |
 Russia | 330 websites |
 France | 304 websites |
 Italy | 293 websites |
 Spain | 95 websites |
 GB | 86 websites |
 Poland | 78 websites |
Website Distribution by TLD
Number of websites using CVE-2025-11972| .com | 1,885 websites |
| .net | 268 websites |
| .ru | 237 websites |
| .it | 218 websites |
| .de | 209 websites |
| .org | 207 websites |
| .fr | 119 websites |
| .jp | 103 websites |
| .info | 65 websites |
| .nl | 61 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-11972
Top websites that are affected by CVE-2025-11972. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.org | United States | *,*** | |
| *******.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| ****************.com | United States | *,*** | |
| ****.org | United States | **,*** | |
| *********.com | United States | **,*** | |
| ********.com | United States | **,*** | |
| **********.org | Germany | **,*** | |
| **************.com | United States | **,*** |
FAQ
CVE-2025-11972 is Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Simple Tags
A total of 4,321 websites have been identified as vulnerable to CVE-2025-11972, based on global website indexing conducted by WebTechSurvey.
The Simple Tags is affected by the CVE-2025-11972 vulnerability.
Simple Tags versions up to and including 3.40 are vulnerable to CVE-2025-11972.