TaxoPress < 3.42.0 – Missing Authorization to Authenticated (Contributor+) Arbitrary Post Tag Modification | CVE 2025-14371 | Plugin Vulnerabilities

Description

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the taxopress_ai_add_post_term function in all versions up to, and including, 3.41.0. This makes it possible for authenticated attackers, with Contributor-level access and above, to add or remove taxonomy terms (tags, categories) on any post, including ones they do not own.

Affects Plugins

Fixed in 3.42.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/1ef51ffb-df1e-442d-abc8-3a0308099a0b

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

Dmitrii Ignatyev

Verified

No

WPVDB ID

514be889-38fd-4f49-bd89-f0f1bbea49f4

Timeline

Publicly Published

2026-01-05 (about 5 months ago)

Added

2026-01-05 (about 5 months ago)

Last Updated

2026-02-13 (about 4 months ago)

Other

Published

Title

Published

2025-04-16

Title

Slazzer Background Changer <= 3.14 - Missing Authorization

Published

2024-08-09

Title

Visual Website Collaboration, Feedback & Project Management – Atarim < 4.0.3 - Missing Authorization to Authenticated (Subscriber+) Settings Update

Published

2023-11-01

Title

Funnelforms Free < 3.4.2 - Missing Authorization to Post Modification

Published

2024-04-18

Title

ShopLentor < 2.8.2 - Contributor+ Template Reset

Published

2023-11-19

Title

Customer Reviews for WooCommerce < 5.38.2 - Missing Authorization via manual review reminders