EUVD-2026-23807

A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parseopenaipluginjsontotoolbundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery. The...

CVE-2026-6618

Summary (CVE-2026-6618): A flaw in langgenius dify up to 1.13.3 affects the component ApiBasedToolSchemaParser, specifically parse_openai_plugin_json_to_tool_bundle in api/core/tools/utils/parser.py. The issue allows an attacker to manipulate the argument url to trigger a server-side request forg...

CVE-2026-6618 langgenius dify ApiBasedToolSchemaParser parser.py parse_openai_plugin_json_to_tool_bundle server-side request forgery

A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parseopenaipluginjsontotoolbundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery. The...

PT-2026-33733

A flaw has been found in langgenius dify up to 1.13.3. This issue affects the function parse openai plugin json to tool bundle of the file api/core/tools/utils/parser.py of the component ApiBasedToolSchemaParser. Executing a manipulation of the argument url can lead to server-side request forgery...

CVE-2025-14371

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the taxopressaiaddpostterm function in all versions up to, and including, 3.41.0. This makes it possible for authenticat...

PT-2026-1421

Name of the Vulnerable Software and Affected Versions The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress versions through 3.41.0 Description The software contains a flaw that allows unauthorized modification of data. Specifically, a missing capability check...

CVE-2025-13922

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'existingtermsorderby' parameter in the AI preview AJAX endpoint in all versions up to, and including, 3.40.1. This is due to insufficient escaping on...

CVE-2025-13922

CVE-2025-13922 affects Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI (WordPress plugin). Time-based blind SQL Injection via the existing_terms_orderby parameter in the AI preview AJAX endpoint allows authenticated contributors (with AI metabox permissions) to append SQL queries,...

CVE-2025-13922 Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.1 - Authenticated (Contributor+) SQL Injection via ORDER BY Clause

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based blind SQL Injection via the 'existingtermsorderby' parameter in the AI preview AJAX endpoint in all versions up to, and including, 3.40.1. This is due to insufficient escaping on...

CVE-2025-13359

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the "getTermsForAjax" function in all versions up to, and including, 3.40.1. This is due to insufficient escaping on the user supplied parameters and lack of...

CVE-2025-13354

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the...

CVE-2025-13354

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.40.1. This is due to the plugin not properly verifying that a user is authorized to perform an action in the...

EUVD-2025-200977

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to time-based SQL Injection via the "getTermsForAjax" function in all versions up to, and including, 3.40.1. This is due to insufficient escaping on the user supplied parameters and lack of...

PT-2025-48808

Name of the Vulnerable Software and Affected Versions Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress versions through 3.40.1 Description The software is susceptible to a time-based SQL Injection issue via the getTermsForAjax function. This is a result of...

EUVD-2025-38356

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to SQL Injection via the 'posttypes' parameter in all versions up to, and including, 3.40.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2025-11972 Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.0 - Authenticated (Editor+) SQL Injection

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to SQL Injection via the 'posttypes' parameter in all versions up to, and including, 3.40.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

CVE-2025-11972 Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI <= 3.40.0 - Authenticated (Editor+) SQL Injection

The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress is vulnerable to SQL Injection via the 'posttypes' parameter in all versions up to, and including, 3.40.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the...

PT-2025-45543

Name of the Vulnerable Software and Affected Versions The Tag, Category, and Taxonomy Manager – AI Autotagger with OpenAI plugin for WordPress versions through 3.40.0 Description The software is susceptible to SQL Injection due to inadequate input validation and query preparation. Specifically, t...

CVE-2025-7725

CVE-2025-7725 affects the WordPress plugin “Contest Gallery – Upload, Vote & Sell with PayPal and Stripe” (and related Photo/Contest Gallery suite). The vulnerability is a Stored Cross-Site Scripting (XSS) in the comment feature present in all versions up to and including 26.1.0, caused by insuff...

CVE-2025-7725 Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI <= 26.1.0 - Unauthenticated Stored Cross-Site Scripting

The Photos, Files, YouTube, Twitter, Instagram, TikTok, Ecommerce Contest Gallery – Upload, Vote, Sell via PayPal or Stripe, Social Share Buttons, OpenAI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the comment feature in all versions up to, and including, 26.1.0 due to...