All in One SEO < 4.9.0 – Contributor+ Arbitrary Media Deletion | CVE 2025-12847 | Plugin Vulnerabilities

Description

The plugin is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs.

Affects Plugins

all-in-one-seo-pack

Fixed in 4.9.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/05abc09f-903b-45a9-8cde-1bf8fd5d7d44

Classification

Type

NO AUTHORISATION

OWASP top 10

A5: Broken Access Control

CWE

CVSS

Miscellaneous

Original Researcher

shark3y

Verified

No

WPVDB ID

e0686462-10c0-40c0-ba5c-b255adf11644

Timeline

Publicly Published

2025-11-14 (about 5 months ago)

Added

2025-11-14 (about 5 months ago)

Last Updated

2025-11-14 (about 5 months ago)

Other

Published

Title

Published

2024-08-07

Title

Sunshine Photo Cart < 3.2.2 - Missing Authorization

Published

2024-12-27

Title

IdeaPush < 8.73 - Missing Authorization

Published

2025-09-03

Title

Paid Member Subscriptions < 2.16.0 - Missing Authorization

Published

2026-04-29

Title

Eventin – Event Calendar, Event Registration, Tickets & Booking (AI Powered) < 4.1.9 - Missing Authorization

Published

2024-04-29

Title

Embed Google Fonts <= 3.1.0 - Missing Authorization