Cybersecurity Vulnerabilities

CVE-2025-12847: Critical Vulnerability in AIOSEO Plugin Exposes WordPress Sites to Unauthorized Media Deletion

November 15, 2025 - By 

Overview

A security vulnerability, identified as CVE-2025-12847, has been discovered in the All in One SEO (AIOSEO) – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress. This flaw allows authenticated attackers with Contributor-level access or higher to delete arbitrary media attachments without proper authorization. All versions up to and including 4.8.9 are affected. This represents a significant risk to website data integrity and availability.

Technical Details

The vulnerability stems from a missing authorization check within the REST API endpoint /wp-json/aioseo/v1/ai/image-generator. The plugin incorrectly verifies user permissions by only checking for the edit_posts capability, which is granted to Contributors and higher roles. It fails to validate whether the user owns or has specific permission to delete the targeted media attachment. Consequently, if an attacker knows or can guess a valid media attachment ID, they can use the REST API to permanently delete that attachment, even if they lack the appropriate ownership or permissions.

The vulnerable code can be located at the following locations (based on version 4.8.9):

CVSS Analysis

The Common Vulnerability Scoring System (CVSS) score for CVE-2025-12847 is 4.3 (Medium). The CVSS vector string is not provided, but this score generally indicates a moderately exploitable vulnerability with a relatively low attack complexity and moderate impact on data integrity and availability.

Possible Impact

Successful exploitation of this vulnerability can lead to:

  • Data Loss: Permanent deletion of important media files, potentially disrupting website content and functionality.
  • Website Defacement: Attackers could remove critical images or other media, effectively defacing the website.
  • SEO Impact: Loss of images can negatively impact search engine rankings.
  • Business Disruption: The need to restore lost media can lead to downtime and productivity losses.

Mitigation or Patch Steps

The recommended mitigation is to update the All in One SEO plugin to the latest version. The vulnerability has been patched in versions released after 4.8.9. Ensure that your WordPress installation is also up-to-date, as this provides a secure base for your plugins.

The fix can be reviewed in this changeset: AIOSEO Changelog

References

Cybersecurity specialist and founder of Gowri Shankar Infosec - a professional blog dedicated to sharing actionable insights on cybersecurity, data protection, server administration, and compliance frameworks including SOC 2, PCI DSS, and GDPR.

Related Posts

CVE-2025-61932 Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

CVE-2025-61932: Critical Remote Code Execution Vulnerability in LANSCOPE Endpoint Manager

October 23, 2025

Leave a Reply

Your email address will not be published. Required fields are marked *