CVE-2025-12847

Name of the Vulnerable Software and Affected Versions All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic versions prior to 4.8.10

Description The All in One SEO plugin for WordPress has a flaw that allows unauthorized deletion of media attachments. The issue stems from a missing authorization check in the REST API endpoint /wp-json/aioseo/v1/ai/image-generator. The endpoint only verifies the edit posts capability, which is present for users with Contributor-level access and above, without confirming ownership or permission to delete specific media attachments. This allows authenticated attackers with Contributor access or higher to permanently delete arbitrary media attachments by providing valid attachment IDs to the API.

Recommendations Update All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic to version 4.8.10 or later.