Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI SQL Injection Vulnerability

A time-based blind SQL injection vulnerability has been identified in the Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI plugin for WordPress. This vulnerability affects all versions through 3.40.1 and allows authenticated attackers with Contributor-level access and AI metabox permissions to exploit the 'existing_terms_orderby' parameter in the AI preview AJAX endpoint. The vulnerability arises from inadequate escaping of user-supplied parameters and a lack of SQL query parameterization, enabling attackers to append additional SQL queries to existing ones. This could be used to extract sensitive database information, degrade performance, or infer data using time-based techniques.

Impact

Exploitation of this vulnerability allows for time-based blind SQL injection, where an attacker can manipulate SQL queries to extract information from the database, potentially leading to unauthorized data access or disclosure.

Reproduction

To reproduce this vulnerability, an authenticated user with Contributor-level access and AI metabox permissions can send a request to the AI preview AJAX endpoint. The 'existing_terms_orderby' parameter can be manipulated to inject malicious SQL queries. The absence of proper input validation and SQL query parameterization allows the injected SQL to be executed, creating a time-based blind SQL injection scenario.

Remediation

Users are advised to update the Tag, Category, and Taxonomy Manager - AI Autotagger with OpenAI plugin to version 3.41.0 or later, where this vulnerability has been patched.