{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12360", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-10-27T16:20:33.609Z", "datePublished": "2025-11-06T07:27:05.431Z", "dateUpdated": "2026-04-08T17:01:20.588Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:20.588Z"}, "affected": [{"vendor": "codesolz", "product": "Better Find and Replace \u2013 AI-Powered Suggestions", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "1.7.7", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The Better Find and Replace \u2013 AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level access, to trigger OpenAI API key usage resulting in quota consumption potentially incurring cost."}], "title": "Better Find and Replace <= 1.7.7 - Missing Authorization", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/757e41dd-d72f-4e87-a087-c5c38bd727e5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php#L31"}, {"url": "https://plugins.trac.wordpress.org/changeset/3389979/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php?contextall=1&old=3343531&old_path=%2Freal-time-auto-find-and-replace%2Ftrunk%2Fcore%2Factions%2FRTAFAR_CustomAjax.php"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-285 Improper Authorization", "cweId": "CWE-285", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Adrian Lukita"}], "timeline": [{"time": "2025-10-28T04:23:43.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-05T19:08:46.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-06T14:51:27.013683Z", "id": "CVE-2025-12360", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-06T14:51:40.221Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12360", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-06T14:51:27.013683Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-06T14:51:32.468Z"}}], "cna": {"title": "Better Find and Replace <= 1.7.7 - Missing Authorization", "credits": [{"lang": "en", "type": "finder", "value": "Adrian Lukita"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "codesolz", "product": "Better Find and Replace \u2013 AI-Powered Suggestions", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "1.7.7"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-10-28T04:23:43.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-05T19:08:46.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/757e41dd-d72f-4e87-a087-c5c38bd727e5?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php#L31"}, {"url": "https://plugins.trac.wordpress.org/changeset/3389979/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php?contextall=1&old=3343531&old_path=%2Freal-time-auto-find-and-replace%2Ftrunk%2Fcore%2Factions%2FRTAFAR_CustomAjax.php"}], "descriptions": [{"lang": "en", "value": "The Better Find and Replace \u2013 AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level access, to trigger OpenAI API key usage resulting in quota consumption potentially incurring cost."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-285", "description": "CWE-285 Improper Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:01:20.588Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12360", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:01:20.588Z", "dateReserved": "2025-10-27T16:20:33.609Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-06T07:27:05.431Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The Better Find and Replace \u2013 AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level access, to trigger OpenAI API key usage resulting in quota consumption potentially incurring cost."}], "id": "CVE-2025-12360", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-06T08:15:38.720", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php#L31"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3389979/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php?contextall=1&old=3343531&old_path=%2Freal-time-auto-find-and-replace%2Ftrunk%2Fcore%2Factions%2FRTAFAR_CustomAjax.php"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/757e41dd-d72f-4e87-a087-c5c38bd727e5?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-285"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T12:54:53.138035+00:00", "value": {"mitigation_remediation": ["Upgrade the Better Find and Replace \u2013 AI-Powered Suggestions plugin to a patched version that resolves the missing capability check.", "If upgrading immediately is not possible, block or hard\u2011code the rtafar_ajax endpoint for Subscriber users (e.g., via a custom plugin or .htaccess) to prevent unauthorized API calls until a patch is applied.", "Consider revoking or temporarily disabling the site's OpenAI API key in WordPress settings to stop external calls until the plugin is fixed."], "summary": {"action": "Patch", "impact": "Unauthorized API usage leading to potential cost"}, "threat_synthesis": {"affected_systems": "WordPress sites using the Better Find and Replace \u2013 AI-Powered Suggestions plugin, versions up through 1.7.7, are affected.", "description_and_impact": "The Better Find and Replace \u2013 AI-Powered Suggestions plugin contains a missing capability check in the rtafar_ajax() function across all versions up to 1.7.7. As a result, any authenticated user with Subscriber-level access can trigger the plugin to call the OpenAI API using the site\u2019s API key. This allows the attacker to consume API quota and potentially generate unintended charges to the site owner, without exposing code execution or data exfiltration abilities.", "risk_and_exploitability": "The CVSS score of 4.3 indicates a moderate severity, but the EPSS score of less than 1% suggests that exploitation is unlikely to be widespread at present. The vulnerability is not listed in CISA\u2019s KEV catalog. Exploitation requires the attacker to have authenticated access as a Subscriber; once logged in, the attacker can simply invoke the unauthorized API endpoint to trigger costly OpenAI requests."}}}}, "created": "2025-11-06T20:38:34.882379+00:00", "updated": "2026-04-22T13:00:09.740781+00:00", "vendors": ["codesolz", "codesolz$PRODUCT$better_find_and_replace", "wordpress", "wordpress$PRODUCT$wordpress"]}