cleantalk
Vulnerabilities and Security Researches

All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic, CVE-2025-12847

CVE, Research URL

CVE-2025-12847

Home page URL

Security reports for All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic

Application

All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic

Published on
Nov 15, 2025
Research Description
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs.
Affected versions
max 4.9.0.
Status
vulnerable
Previous vulnerability researches
Supertext Translation and Proofreading (CVE-2025-47639) , May 09, 2025
Theme and plugin translation for Polylang (TTfP) (CVE-2022-4169) , Jun 07, 2024
Polylang (CVE-2014-4855) , Jun 06, 2024
Polylang (CVE-2025-64353) , Dec 10, 2025
Polylang , Jan 16, 2025
New vulnerability
WordPress Plugin for Google Maps – WP MAPS (CVE-2025-67535) , Jan 09, 2026
Widgets for Google Reviews (CVE-2025-12510) , Jan 09, 2026
Quiz And Survey Master – Best Quiz, Exam and Survey Plugin for WordPress (CVE-2025-63054) , Jan 09, 2026
Filter & Grids (CVE-2025-10289) , Jan 09, 2026
Admin and Site Enhancements (ASE) (CVE-2025-64255) , Jan 09, 2026