The vulnerability identified as CVE-2025-12847 affects the All in One SEO plugin for WordPress, a widely used SEO tool designed to improve site rankings and traffic. The issue arises from a missing authorization check in the REST API endpoint /wp-json/aioseo/v1/ai/image-generator. This endpoint validates that a user has the edit_posts capability, which is granted to Contributors and above, but fails to verify whether the user actually owns or has permission to delete the targeted media attachments. Consequently, any authenticated user with Contributor-level access or higher can delete arbitrary media attachments by specifying their IDs, assuming they can enumerate or guess valid attachment IDs. This vulnerability is classified under CWE-862 (Missing Authorization) and has a CVSS 3.1 base score of 4.3, indicating medium severity. The impact is limited to integrity as it allows unauthorized deletion of media files, but does not affect confidentiality or availability. The vulnerability affects all versions up to and including 4.8.9 of the plugin. No patches or fixes are currently linked, and no active exploitation has been reported. The attack vector is network-based, requiring only low privileges and no user interaction, making it relatively easy to exploit within compromised or multi-user environments. The scope is limited to WordPress sites using this plugin and having users with Contributor or higher roles.

The primary impact of CVE-2025-12847 is unauthorized deletion of media attachments, which can disrupt website content integrity and user experience. For organizations relying on WordPress sites with the All in One SEO plugin, this could lead to loss of important images or media assets, potentially affecting marketing materials, product images, or other critical content. Although the vulnerability does not directly compromise confidentiality or availability, the integrity loss can result in reputational damage, operational disruption, and increased recovery costs. In multi-user environments such as large organizations, educational institutions, or agencies where multiple contributors have access, the risk of insider threat or compromised contributor accounts exploiting this flaw is significant. Attackers with Contributor-level access could leverage this to sabotage content or cause persistent damage. Since the vulnerability requires authenticated access, the impact is mitigated somewhat by existing access controls, but weak credential management or compromised accounts increase risk. The absence of patches means organizations must rely on compensating controls until updates are available.

To mitigate CVE-2025-12847, organizations should first monitor and restrict Contributor-level and higher user roles to trusted personnel only, minimizing the attack surface. Implement strict credential hygiene, including strong passwords and multi-factor authentication, to reduce the risk of account compromise. Temporarily disable or restrict access to the vulnerable REST API endpoint using web application firewalls (WAFs) or custom rules that block or limit requests to /wp-json/aioseo/v1/ai/image-generator. Regularly audit media attachments and maintain backups to enable recovery from unauthorized deletions. Administrators should keep the All in One SEO plugin updated and monitor vendor communications for forthcoming patches or security advisories. If feasible, consider replacing or supplementing the plugin with alternative SEO tools that have stronger authorization controls. Additionally, implement logging and alerting on media deletion events to detect suspicious activity promptly. Employ the principle of least privilege by reviewing and minimizing user capabilities within WordPress to reduce exposure.