CVE-2025-13354
Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.1 - Missing Authorization to Authenticated (Subscriber+) Arbitrary Taxonomy Term ManipulationThe Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the "taxopress_merge_terms_batch" function. This makes it possible for authenticated attackers, with subscriber level access and above, to merge or delete arbitrary taxonomy terms.
We have discovered 4,787 live websites that are affected by CVE-2025-13354.
Affected Software
| Product |  Simple Tags |
| Category | Wordpress Plugins |
| Vulnerable Domains | 4,787 live websites (37% of Simple Tags install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 91 versions ( 96% of all versions) |
Common Weakness Enumeration
CWE-862 Missing AuthorizationDetails
- Published - Dec 3, 2025
- Updated - Apr 8, 2026
Credits
- M Indra Purnama (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-13354 United States | 1,492 websites |
 Japan | 481 websites |
 Germany | 424 websites |
 Russia | 348 websites |
 France | 332 websites |
 Italy | 322 websites |
 GB | 108 websites |
 Spain | 101 websites |
 Poland | 88 websites |
 Netherlands | 85 websites |
Website Distribution by TLD
Number of websites using CVE-2025-13354| .com | 2,090 websites |
| .net | 285 websites |
| .ru | 252 websites |
| .it | 237 websites |
| .de | 231 websites |
| .org | 230 websites |
| .fr | 129 websites |
| .jp | 114 websites |
| .nl | 71 websites |
| .info | 70 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-13354
Top websites that are affected by CVE-2025-13354. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.org | United States | *,*** | |
| *******.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| ****************.com | United States | *,*** | |
| ****.org | United States | **,*** | |
| *********.com | United States | **,*** | |
| ********.com | United States | **,*** | |
| **********.cz |  Czech Republic | **,*** | |
| **********.org | Germany | **,*** |
FAQ
CVE-2025-13354 is Missing Authorization in Simple Tags
A total of 4,787 websites have been identified as vulnerable to CVE-2025-13354, based on global website indexing conducted by WebTechSurvey.
The Simple Tags is affected by the CVE-2025-13354 vulnerability.
Simple Tags versions up to and including 3.40.1 are vulnerable to CVE-2025-13354.