AI Autotagger (Taxo Press) is a popular plugin used in WordPress for automatically tagging posts and improving the content classification process. It helps users to efficiently manage taxonomies and tags across their site, saving time and improving content visibility. However, a critical vulnerability, CVE-2025-0627, was discovered in the plugin, which allows attackers to inject malicious scripts, enabling a backdoor creation that can lead to account takeover. This vulnerability is a stored Cross-Site Scripting (XSS) flaw that can be exploited by users with editor privileges.
| CVE | CVE-2025-0627 |
| AI Autotagger (Taxo Press) < 3.30.0 | |
| Critical | High |
| All Time | 5 324 511 |
| Active installations | 50 000+ |
| Publicly Published | April 22, 2025 |
| Last Updated | April 22, 2025 |
| Researcher | Dmitrii Ignatyev |
| OWASP TOP-10 | A7: Cross-Site Scripting (XSS) |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-0627 https://wpscan.com/vulnerability/30fbe3c5-f190-48e8-a6bb-e8d78e001e7f/ |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| January 25, 2025 | Plugin testing and vulnerability detection in the WordPress Tag, Category, and Taxonomy Manager – AI Autotagger have been completed |
| January 25, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| April 22, 2025 | Registered CVE-2025-0627 |
Discovery of the Vulnerability
The vulnerability was uncovered during routine testing of the AI Autotagger plugin. It was found that the “Title” field in the Tag Cloud widget settings did not properly sanitize user input, making it vulnerable to malicious code injection. By embedding a simple XSS payload, an attacker can craft a request that stores the malicious script in the widget’s settings. Once the widget is rendered on the frontend, the malicious script gets executed in the context of the user’s browser, potentially compromising sensitive information and user sessions.
Understanding of XSS attack’s
Cross-Site Scripting (XSS) vulnerabilities are among the most dangerous and common security flaws in WordPress plugins. XSS attacks allow an attacker to inject malicious JavaScript into a website, which is then executed when other users interact with the website. In this case, an attacker can inject JavaScript code into the “Title” field of the Tag Cloud widget, and upon rendering the widget on the frontend, the JavaScript executes, potentially hijacking user sessions, stealing cookies, and escalating the attacker’s privileges.
Exploiting the XSS Vulnerability
To exploit CVE-2025-0627, an attacker with editor+ privileges:
POC:
1) Create a new Widget "Tag Cloud" 2) Change "Title" field to <img src=x onerror=alert(1)> 3) To trigger XSS you should go to any page you have____
This vulnerability is a textbook example of how Stored XSS can be leveraged to escalate privileges or maintain persistent access on a compromised WordPress site. The fact that this can be done from within the widget interface significantly increases the likelihood of mass exploitation, especially on websites with multiple authors or editors. An attacker could:
- Install a keylogger to capture admin credentials.
- Redirect admins to phishing pages.
- Inject JavaScript to exploit other plugins or site visitors.
If combined with social engineering or other vulnerabilities, this XSS could even enable unauthenticated takeover via chained attacks.
Recommendations for Improved Security
To mitigate this vulnerability:
- Update AI Autotagger/TaxoPress to the latest version where this issue is patched.
- Enforce output escaping on all widget fields using WordPress-native functions like
esc_html()oresc_attr(). - Restrict widget editing capabilities only to trusted administrator roles.
- Deploy Web Application Firewalls (WAFs) to block suspicious JavaScript injection attempts.
- Regularly audit plugins and themes for unsanitized inputs and dangerous output contexts.
Site owners are strongly advised to conduct a full review of all widget content if this plugin was used by multiple users, and rotate administrator credentials in case of suspected compromise.
To prevent this type of attacks vendor used our methods of prevention.
By taking proactive measures to address Stored XSS vulnerabilities like CVE-2025-0627, WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #StoredXSS #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.