The vulnerability identified as CVE-2025-12360 affects the WordPress plugin 'Better Find and Replace – AI-Powered Suggestions' developed by codesolz. This plugin integrates AI-powered suggestions by leveraging the OpenAI API. The security issue stems from improper authorization (CWE-285) due to the absence of a capability check in the rtafar_ajax() function, which handles AJAX requests. As a result, any authenticated user, even those with minimal privileges such as Subscribers, can invoke this function to trigger calls to the OpenAI API using the site owner's API key. This unauthorized usage can lead to excessive consumption of the API quota, potentially incurring unexpected costs for the website owner. The vulnerability affects all versions up to and including 1.7.7. The CVSS v3.1 base score is 4.3 (medium), reflecting that the attack vector is network-based, requires low privileges, no user interaction, and impacts integrity by enabling misuse of API resources. There is no direct impact on confidentiality or availability. No patches are currently linked, and no known exploits have been observed in the wild. The vulnerability highlights the importance of enforcing proper capability checks on sensitive API-invoking functions within WordPress plugins, especially those integrating third-party services with cost implications.

The primary impact of this vulnerability is financial and operational. Unauthorized API usage can lead to rapid depletion of the OpenAI API quota, resulting in unexpected charges for organizations relying on this plugin. This can disrupt AI-powered functionalities if the quota is exhausted, indirectly affecting website user experience and business operations. Since the exploit requires only Subscriber-level authentication, attackers can be internal users or compromised low-privilege accounts, increasing the risk of abuse. There is no direct data breach or service disruption, but the integrity of API usage is compromised. Organizations with high traffic or multiple Subscriber accounts are at greater risk. The vulnerability could also be leveraged as part of a larger attack chain to cause financial damage or degrade service quality.

To mitigate this vulnerability, organizations should immediately restrict access to the affected AJAX function by implementing proper capability checks ensuring only trusted roles (e.g., Administrators) can invoke it. If possible, update the plugin to a patched version once released by the vendor. In the absence of an official patch, site administrators can apply temporary code-level fixes by adding capability checks to the rtafar_ajax() function or disabling the plugin if AI-powered suggestions are not critical. Monitoring API usage logs for unusual spikes can help detect exploitation attempts early. Additionally, consider implementing API key usage limits or alerts through the OpenAI platform to prevent excessive charges. Regularly audit user roles and permissions to minimize the number of accounts with unnecessary access. Finally, maintain backups and incident response plans to address potential abuse scenarios.