The vulnerability identified as CVE-2025-12360 affects the 'Better Find and Replace – AI-Powered Suggestions' WordPress plugin developed by codesolz. This plugin integrates AI-powered features by leveraging the OpenAI API to provide enhanced find-and-replace functionality. The root cause of the vulnerability is an improper authorization (CWE-285) due to the absence of a capability check in the rtafar_ajax() function, which handles AJAX requests related to the plugin's AI features. As a result, any authenticated user, including those with the minimal Subscriber role, can invoke this function to trigger OpenAI API calls using the plugin owner's API key. This unauthorized usage leads to consumption of the API quota, which may result in unexpected financial charges for the site owner. The vulnerability does not expose sensitive data or allow modification of site content but compromises the integrity of resource usage. The CVSS v3.1 base score is 4.3 (medium), reflecting network attack vector, low attack complexity, low privileges required, no user interaction, and limited impact confined to integrity. No patches or official fixes have been released at the time of publication, and no active exploitation has been reported. The vulnerability affects all versions up to and including 1.7.7 of the plugin. Given the widespread use of WordPress and increasing adoption of AI-powered plugins, this vulnerability presents a risk primarily related to financial abuse rather than data breach or service disruption.

For European organizations, the primary impact of this vulnerability is financial due to unauthorized consumption of the OpenAI API quota linked to the plugin owner's account. Organizations running WordPress sites with this plugin installed may face unexpected charges if attackers with low-level access exploit the flaw. While the vulnerability does not directly compromise confidentiality or availability, it undermines the integrity of resource usage and could lead to operational disruptions if API quotas are exhausted, potentially disabling AI-powered features. Additionally, the presence of this vulnerability may indicate insufficient access control practices, which could be leveraged in conjunction with other vulnerabilities. Organizations in sectors with strict compliance requirements may face reputational damage if unauthorized usage is detected. The risk is heightened for multi-user WordPress environments where many users have Subscriber-level access, such as community portals or membership sites common in Europe.

To mitigate this vulnerability, organizations should first identify if they are using the affected plugin versions (up to 1.7.7). Until an official patch is released, administrators should consider disabling the plugin to prevent unauthorized API usage. If disabling is not feasible, implement custom capability checks by modifying the plugin code to restrict access to the rtafar_ajax() function only to trusted roles (e.g., Administrator or Editor). Monitoring API usage logs from OpenAI can help detect abnormal consumption patterns indicative of exploitation. Additionally, restrict Subscriber-level user permissions to the minimum necessary and audit user accounts regularly to reduce the risk of abuse. Employ web application firewalls (WAFs) with rules to detect and block suspicious AJAX requests targeting the vulnerable function. Finally, stay updated with vendor announcements for patches and apply them promptly once available.