The vulnerability identified as CVE-2025-12360 affects the WordPress plugin 'Better Find and Replace – AI-Powered Suggestions' developed by codesolz. It stems from improper authorization (CWE-285) due to the absence of a capability check in the rtafar_ajax() function, which handles AJAX requests related to the plugin's AI-powered features. This flaw allows any authenticated user, even those with minimal privileges such as Subscribers, to invoke the plugin's AJAX endpoint and trigger calls to the OpenAI API using the site owner's API key. Because the plugin does not verify whether the user has sufficient permissions to perform this action, attackers can cause excessive API usage, leading to quota depletion and potential financial costs for the site owner. The vulnerability affects all plugin versions up to 1.7.7, with no patches currently available. The CVSS v3.1 base score is 4.3 (medium severity), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts integrity but not confidentiality or availability. There are no known exploits in the wild, but the risk lies primarily in unauthorized consumption of API resources and associated costs. The flaw does not allow data leakage or site compromise but can be leveraged for resource abuse. Since the plugin is integrated into WordPress sites, the attack surface includes any site with this plugin installed and active. The vulnerability highlights the importance of enforcing proper authorization checks on API endpoints, especially when external services with cost implications are involved.

For European organizations, the primary impact is financial and operational rather than direct data breach or service disruption. Unauthorized API calls to OpenAI can rapidly consume allocated quotas, leading to unexpected charges or service throttling. Organizations relying on this plugin for content management or AI-assisted editing may face increased operational costs and potential service interruptions if API limits are exhausted. While confidentiality and availability remain unaffected, the integrity of API usage is compromised, which could also lead to billing disputes or difficulties in auditing API consumption. Organizations with multiple WordPress sites using this plugin are at higher risk due to potential widespread abuse. Additionally, if attackers use the API excessively, it could degrade legitimate AI-powered functionalities, impacting productivity. The vulnerability may also be exploited as part of a broader attack chain to cause financial harm or distract security teams. Given the widespread use of WordPress in Europe, especially among SMEs and content-driven organizations, the risk is non-negligible. Compliance with data protection regulations is not directly impacted, but financial controls and resource governance are challenged.

Immediate mitigation steps include restricting plugin usage to trusted users only and monitoring API usage closely for anomalies. Site administrators should audit user roles and permissions to ensure that Subscriber-level accounts are limited and monitored. Since no official patch is available yet, organizations can implement custom code to add capability checks on the rtafar_ajax() function or disable the AJAX endpoint entirely if AI-powered suggestions are not critical. Alternatively, temporarily removing or deactivating the plugin until a fix is released is advisable. Monitoring OpenAI API usage and setting strict quota limits or alerts can help detect and prevent abuse. Organizations should also consider rotating the OpenAI API key if abuse is suspected. Regularly updating the plugin once a patch is released is essential. Implementing web application firewalls (WAFs) with rules to restrict access to the vulnerable AJAX endpoint based on user roles or IP addresses can provide additional protection. Finally, educating users about the risks of unauthorized API usage and enforcing strong authentication and user management policies will reduce exploitation likelihood.