CVE-2025-12847
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-11-15

Last updated on: 2025-11-15

Assigner: Wordfence

Description
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-15
Last Modified
2025-11-15
Generated
2026-05-07
AI Q&A
2025-11-15
EPSS Evaluated
2026-05-05
NVD
CVE-2025-12847
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wordpress all_in_one_seo 4.8.9
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in the All in One SEO plugin for WordPress, where an authorization check is missing in the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator`. Users with Contributor-level access or higher can delete arbitrary media attachments without proper permission checks, allowing them to permanently delete media files by specifying their IDs.


How can this vulnerability impact me? :

An attacker with Contributor-level access or higher can exploit this vulnerability to delete any media attachments on the WordPress site without proper authorization. This could lead to loss of important media content, disruption of website functionality, and potential damage to the site's content integrity.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart