CVE-2025-12847: 
WordPress 脆弱性の分析と軽減

The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized arbitrary media attachment deletion in versions up to and including 4.8.9. The vulnerability was discovered and reported by Wordfence, with the CVE identifier CVE-2025-12847 being assigned on November 15, 2025 (NVD).

The vulnerability stems from a missing authorization check in the REST API endpoint /wp-json/aioseo/v1/ai/image-generator. The endpoint only verifies that users have the edit_posts capability (Contributors and above) without validating if they have permission to delete the specific media attachments. This security flaw allows authenticated attackers with Contributor-level access or higher to permanently delete arbitrary media attachments by ID via the REST API, provided they can determine valid attachment IDs. The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 MEDIUM (Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N) (NVD).

The vulnerability allows authenticated users with Contributor-level access or higher to delete any media attachment from the WordPress installation, regardless of ownership or permissions. This could lead to unauthorized deletion of important media files and potential disruption of website content (NVD).

Users should update to a version newer than 4.8.9 once available. Until then, site administrators should carefully review and potentially restrict Contributor and Author role assignments, as these roles can potentially exploit this vulnerability (NVD).