CVE-2025-13359
Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.1 - Authenticated (Contributor+) SQL InjectionThe Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the "getTermsForAjax" function in all versions up to, and including, 3.40.1. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with contributor level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database granted they have metabox access for the taxonomy (enabled by default for contributors).
We have discovered 4,787 live websites that are affected by CVE-2025-13359.
Affected Software
| Product |  Simple Tags |
| Category | Wordpress Plugins |
| Vulnerable Domains | 4,787 live websites (37% of Simple Tags install base) |
| Vulnerable Versions |
|
| Vulnerable Versions Count | 91 versions ( 96% of all versions) |
Common Weakness Enumeration
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')Details
- Published - Dec 3, 2025
- Updated - Apr 8, 2026
Credits
- M Indra Purnama (finder)
CVE References
CWE References
CWE
Website Distribution by Country
Number of websites using CVE-2025-13359 United States | 1,492 websites |
 Japan | 481 websites |
 Germany | 424 websites |
 Russia | 348 websites |
 France | 332 websites |
 Italy | 322 websites |
 GB | 108 websites |
 Spain | 101 websites |
 Poland | 88 websites |
 Netherlands | 85 websites |
Website Distribution by TLD
Number of websites using CVE-2025-13359| .com | 2,090 websites |
| .net | 285 websites |
| .ru | 252 websites |
| .it | 237 websites |
| .de | 231 websites |
| .org | 230 websites |
| .fr | 129 websites |
| .jp | 114 websites |
| .nl | 71 websites |
| .info | 70 websites |
Vulnerable Versions
Vulnerable versions are highlighted in redWebsites affected by CVE-2025-13359
Top websites that are affected by CVE-2025-13359. Please click on the "Contact us" link to get more information.| Domain | Country | Rank | Contacts |
|---|---|---|---|
| *********.org | United States | *,*** | |
| *******.com | United States | *,*** | |
| *********.com | United States | *,*** | |
| ******.com | United States | *,*** | |
| ****************.com | United States | *,*** | |
| ****.org | United States | **,*** | |
| *********.com | United States | **,*** | |
| ********.com | United States | **,*** | |
| **********.cz |  Czech Republic | **,*** | |
| **********.org | Germany | **,*** |
FAQ
CVE-2025-13359 is Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in Simple Tags
A total of 4,787 websites have been identified as vulnerable to CVE-2025-13359, based on global website indexing conducted by WebTechSurvey.
The Simple Tags is affected by the CVE-2025-13359 vulnerability.
Simple Tags versions up to and including 3.40.1 are vulnerable to CVE-2025-13359.