CVE-2025-12847 is a missing authorization vulnerability (CWE-862) affecting all versions up to 4.8.9 of the All in One SEO – Powerful SEO Plugin for WordPress. The vulnerability exists in the REST API endpoint /wp-json/aioseo/v1/ai/image-generator, which allows authenticated users with the edit_posts capability (typically Contributors and above) to delete media attachments arbitrarily. The plugin fails to verify whether the user owns or has explicit permission to delete the targeted media attachment, relying solely on the general capability check. This means that any authenticated user with contributor-level access can supply a valid media attachment ID and cause permanent deletion of that media item. The vulnerability does not require user interaction beyond authentication and can be exploited remotely over the network. The CVSS v3.1 base score is 4.3, reflecting low complexity and limited impact on confidentiality and availability but a direct impact on integrity due to unauthorized deletion of media. No patches or exploits are currently publicly available, but the vulnerability poses a risk to website content integrity and operational continuity, especially for sites relying heavily on media assets. The flaw highlights the importance of fine-grained authorization checks beyond capability verification in REST API endpoints.

For European organizations, this vulnerability could lead to unauthorized deletion of critical media assets such as images, videos, or documents hosted on WordPress sites using the affected plugin. This can disrupt website appearance, degrade user experience, and potentially cause loss of important marketing or informational content. Organizations in sectors relying on rich media content for customer engagement, e-commerce, or brand reputation are particularly at risk. Although the vulnerability does not expose sensitive data or cause denial of service, the integrity loss can lead to reputational damage and operational overhead to restore deleted content. Attackers with contributor-level access could be internal users or compromised accounts, increasing the risk of insider threats or lateral movement within the CMS environment. Given the widespread use of WordPress and the popularity of the All in One SEO plugin, the threat surface is significant across European businesses, especially SMEs and digital agencies that may have less mature access controls.

Immediate mitigation should include restricting contributor-level user roles from accessing the vulnerable REST API endpoint by implementing custom access controls or disabling the endpoint if not required. Administrators should audit user roles and permissions to ensure that only trusted users have contributor or higher privileges. Applying the vendor patch as soon as it becomes available is critical. In the absence of an official patch, organizations can implement Web Application Firewall (WAF) rules to block or monitor suspicious REST API calls targeting /wp-json/aioseo/v1/ai/image-generator. Regular backups of media content should be maintained to enable quick restoration in case of deletion. Monitoring and alerting on unusual media deletion activities can help detect exploitation attempts. Additionally, organizations should consider implementing multi-factor authentication and stronger user verification to reduce the risk of compromised accounts being used to exploit this vulnerability.