Description
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs.
Published: 2025-11-15
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Unrestricted deletion of media attachments
Action: Immediate Patch
AI Analysis

Impact

The vulnerability in the All in One SEO plugin allows authenticated users with Contributor level or higher to permanently delete media files owned by other users. The REST API endpoint /wp-json/aioseo/v1/ai/image‑generator verifies only that the user can edit posts, neglecting any check for ownership or delete permission of the targeted media attachment. As a result, an attacker who can determine a valid attachment ID can cause irretrievable loss of media, compromising site integrity and potentially business assets.

Affected Systems

WordPress sites running the All in One SEO Pack plugin version 4.8.9 or earlier are affected. The issue exists in every release up to 4.8.9, regardless of additional plugins or themes.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity. The EPSS score of <1% suggests that automated exploitation is unlikely, yet a determined insider or compromised contributor account could exploit the flaw manually. The vulnerability is not listed in the CISA KEV catalog. Attackers must authenticate and possess Contributor or higher capability, then supply a valid media attachment ID to the REST endpoint to delete it.

Generated by OpenCVE AI on April 22, 2026 at 16:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the All in One SEO Pack plugin to the latest version (4.9 or newer) which removes the missing authorization check.
  • Apply an interim patch that enforces an ownership check before deleting media, such as verifying the current user's control over the attachment or rejecting deletion requests lacking a valid owner relation.
  • If an upgrade or patch is not immediately possible, configure WordPress to block or restrict the /wp-json/aioseo/v1/ai/image-generator endpoint for non‑administrator roles, ensuring only privileged users can access it.

Generated by OpenCVE AI on April 22, 2026 at 16:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 17 Nov 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sat, 15 Nov 2025 22:15:00 +0000

Type Values Removed Values Added
First Time appeared Smub
Smub all In One Seo
Wordpress
Wordpress wordpress
Vendors & Products Smub
Smub all In One Seo
Wordpress
Wordpress wordpress

Sat, 15 Nov 2025 06:00:00 +0000

Type Values Removed Values Added
Description The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check in all versions up to, and including, 4.8.9. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments. This makes it possible for authenticated attackers, with Contributor-level access and above, to permanently delete arbitrary media attachments by ID via the REST API, granted they can determine valid attachment IDs.
Title All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.8.9 - Missing Authorization to Authenticated (Contributor+) Arbitrary Media Deletion
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N'}

Subscriptions

Smub All In One Seo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T16:33:27.132Z

Reserved: 2025-11-06T21:04:39.818Z

Link: CVE-2025-12847

cve-icon Vulnrichment

Updated: 2025-11-17T18:42:42.215Z

cve-icon NVD

Status : Deferred

Published: 2025-11-15T06:15:43.383

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-12847

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T16:45:21Z

Weaknesses