CVE-2025-0627: 
WordPress vulnerability analysis and mitigation

The WordPress Tag, Category, and Taxonomy Manager WordPress plugin (also known as AI Autotagger) before version 3.30.0 contains a stored Cross-Site Scripting (XSS) vulnerability. The vulnerability was discovered by Dmitrii Ignatyev and was publicly disclosed on April 7, 2025 (WPScan).

The vulnerability stems from improper sanitization and escaping of Widget settings in the plugin. This security flaw exists even when the unfiltered_html capability is disallowed, such as in multisite setups. The vulnerability has been assigned a CVSS v3.1 score of 3.5 (Low) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:L/I:L/A:N and is classified as CWE-79: Improper Neutralization of Input During Web Page Generation (NVD, Wiz).

The vulnerability allows high-privilege users such as administrators to perform Stored Cross-Site Scripting attacks. When exploited, it could potentially lead to the execution of malicious JavaScript code in the context of other users' browsers who view the affected pages (WPScan).

The vulnerability has been fixed in version 3.30.0 of the plugin. Users are advised to update to this version or later to mitigate the security risk (WPScan).