{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-12847", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-11-06T21:04:39.818Z", "datePublished": "2025-11-15T05:45:32.963Z", "dateUpdated": "2026-04-08T16:33:27.132Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T16:33:27.132Z"}, "affected": [{"vendor": "smub", "product": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.8.9", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs."}], "title": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.8.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Media Deletion", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05abc09f-903b-45a9-8cde-1bf8fd5d7d44?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Api.php#L192"}, {"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Ai.php#L542"}, {"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Ai/Image.php#L192"}, {"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Utils/Access.php#L184"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3393820%40all-in-one-seo-pack&old=3384131%40all-in-one-seo-pack&sfp_email=&sfph_mail=#file1387"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "timeline": [{"time": "2025-11-06T21:20:07.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2025-11-14T16:58:45.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-11-17T18:42:37.154492Z", "id": "CVE-2025-12847", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-17T18:42:46.195Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-12847", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-11-17T18:42:37.154492Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-11-17T18:42:42.215Z"}}], "cna": {"title": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.8.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Media Deletion", "credits": [{"lang": "en", "type": "finder", "value": "Angus Girvan"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"}}], "affected": [{"vendor": "smub", "product": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic", "versions": [{"status": "affected", "version": "*", "versionType": "semver", "lessThanOrEqual": "4.8.9"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-11-06T21:20:07.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2025-11-14T16:58:45.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05abc09f-903b-45a9-8cde-1bf8fd5d7d44?source=cve"}, {"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Api.php#L192"}, {"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Ai.php#L542"}, {"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Ai/Image.php#L192"}, {"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Utils/Access.php#L184"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3393820%40all-in-one-seo-pack&old=3384131%40all-in-one-seo-pack&sfp_email=&sfph_mail=#file1387"}], "descriptions": [{"lang": "en", "value": "The All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2025-11-15T05:45:32.963Z"}}}, "cveMetadata": {"cveId": "CVE-2025-12847", "state": "PUBLISHED", "dateUpdated": "2025-11-17T18:42:46.195Z", "dateReserved": "2025-11-06T21:04:39.818Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2025-11-15T05:45:32.963Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs."}], "id": "CVE-2025-12847", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2025-11-15T06:15:43.383", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Ai/Image.php#L192"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Ai.php#L542"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Api.php#L192"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Utils/Access.php#L184"}, {"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3393820%40all-in-one-seo-pack&old=3384131%40all-in-one-seo-pack&sfp_email=&sfph_mail=#file1387"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05abc09f-903b-45a9-8cde-1bf8fd5d7d44?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-22T16:40:50.758748+00:00", "value": {"mitigation_remediation": ["Upgrade the All in One SEO Pack plugin to the latest version (4.9 or newer) which removes the missing authorization check.", "Apply an interim patch that enforces an ownership check before deleting media, such as verifying the current user's control over the attachment or rejecting deletion requests lacking a valid owner relation.", "If an upgrade or patch is not immediately possible, configure WordPress to block or restrict the /wp-json/aioseo/v1/ai/image-generator endpoint for non\u2011administrator roles, ensuring only privileged users can access it."], "summary": {"action": "Immediate Patch", "impact": "Unrestricted deletion of media attachments"}, "threat_synthesis": {"affected_systems": "WordPress sites running the All in One SEO Pack plugin version 4.8.9 or earlier are affected. The issue exists in every release up to 4.8.9, regardless of additional plugins or themes.", "description_and_impact": "The vulnerability in the All in One SEO plugin allows authenticated users with Contributor level or higher to permanently delete media files owned by other users. The REST API endpoint /wp-json/aioseo/v1/ai/image\u2011generator verifies only that the user can edit posts, neglecting any check for ownership or delete permission of the targeted media attachment. As a result, an attacker who can determine a valid attachment ID can cause irretrievable loss of media, compromising site integrity and potentially business assets.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity. The EPSS score of <1% suggests that automated exploitation is unlikely, yet a determined insider or compromised contributor account could exploit the flaw manually. The vulnerability is not listed in the CISA KEV catalog. Attackers must authenticate and possess Contributor or higher capability, then supply a valid media attachment ID to the REST endpoint to delete it."}}}}, "created": "2025-11-15T22:07:22.303611+00:00", "updated": "2026-04-22T16:45:21.460733+00:00", "vendors": ["smub", "smub$PRODUCT$all_in_one_seo", "wordpress", "wordpress$PRODUCT$wordpress"]}