CVE-2025-12847
Unknown Unknown - Not Provided

BaseFortify

Vulnerability report for CVE-2025-12847, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-15

Last updated on: 2025-11-15

Assigner: Wordfence

Description

The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-15
Last Modified
2025-11-15
Generated
2026-07-06
AI Q&A
2025-11-15
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
wordpress all_in_one_seo 4.8.9

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the All in One SEO plugin for WordPress, where an authorization check is missing in the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator`. Users with Contributor-level access or higher can delete arbitrary media attachments without proper permission checks, allowing them to permanently delete media files by specifying their IDs.

Impact Analysis

An attacker with Contributor-level access or higher can exploit this vulnerability to delete any media attachments on the WordPress site without proper authorization. This could lead to loss of important media content, disruption of website functionality, and potential damage to the site's content integrity.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-12847. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart