cleantalk
Vulnerabilities and Security Researches

All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic, CVE-2025-12847

CVE, Research URL

CVE-2025-12847

Home page URL

Security reports for All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic

Application

All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic

Published on
Nov 15, 2025
Research Description
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs.
Affected versions
max 4.9.0.
Status
vulnerable
Previous vulnerability researches
SKT Skill Bar (CVE-2025-66090) , Dec 11, 2025
SKT Skill Bar (CVE-2024-38698) , Jul 15, 2024
SKT Skill Bar (CVE-2025-47482) , May 09, 2025
SKT Skill Bar (CVE-2025-26880) , Apr 15, 2025
New vulnerability
Knowledge Base documentation & wiki plugin – BasePress Docs (CVE-2025-62761) , Jan 09, 2026
WordPress Tooltips (CVE-2025-63005) , Jan 09, 2026
Document Library Lite (CVE-2025-67986) , Jan 09, 2026
Document Library Lite (CVE-2025-67985) , Jan 09, 2026
Paid Membership Plugin, Ecommerce, User Registration Form, Login Form, User Profile & Restrict Content – ProfilePress (CVE-2025-13642) , Jan 09, 2026