AI Threat Alert

CVE-2025-12360: Better: security flaw enables exploitation

MEDIUM
Published November 6, 2025
CISO Take

Any subscriber-level WordPress user on sites running this plugin can drain your OpenAI API quota, incurring real charges with zero technical skill required. Patch to 1.7.8+ immediately, rotate the stored OpenAI API key, and set a spending cap on the key via OpenAI's platform. If your site allows open subscriber registration, treat this as actively exploitable.

What is the risk?

Low-medium severity with disproportionate financial exposure relative to CVSS score. Exploitability is trivial — no tooling or AI knowledge required, just a valid subscriber account and a POST request to the AJAX endpoint. Impact is bounded to quota exhaustion and cost, not data breach or RCE, but financial damage scales with API spend limits and attacker persistence. Risk amplified on sites with open user registration or high-traffic WooCommerce stores.

How severe is it?

CVSS 3.1
4.3 / 10
EPSS
0.2%
chance of exploitation in 30 days
Higher than 9% of all CVEs
Source: EPSS v3 — FIRST.org
Exploitation Status
No known exploitation
Sophistication
Trivial

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR Low
UI None
S Unchanged
C None
I Low
A None

What should I do?

6 steps

  1. PATCH

    Update plugin to 1.7.8+ immediately — the changeset at trac.wordpress.org confirms the capability check fix.

  2. ROTATE KEY

    Invalidate the OpenAI API key stored in WordPress settings and generate a new scoped key.

  3. SCOPE THE KEY

    Create a dedicated OpenAI API key for this plugin with spending caps and rate limits via platform.openai.com.

  4. AUDIT USAGE

    Review OpenAI usage dashboard for anomalous spikes in the 90 days prior to patching.

  5. HARDEN REGISTRATION

    Disable open subscriber registration if not required or add email verification.

  6. ALERT

    Configure OpenAI usage threshold alerts to detect future abuse within hours.

What does CISA's SSVC say?

Decision Track
Exploitation none
Automatable No
Technical Impact partial

Source: CISA Vulnrichment (SSVC v2.0). Decision based on the CISA Coordinator decision tree.

How is it classified?

Auth Bypass DoS API Plugin AML.T0012 AML.T0029 AML.T0034 AML.T0040 AML.T0048.000 AML.T0049

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001
A.6.2 - AI system access control and authorization
NIST AI RMF
GOVERN 1.1 - Organizational policies for AI risk management
OWASP LLM Top 10
LLM04 - Model Denial of Service LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is CVE-2025-12360?

Any subscriber-level WordPress user on sites running this plugin can drain your OpenAI API quota, incurring real charges with zero technical skill required. Patch to 1.7.8+ immediately, rotate the stored OpenAI API key, and set a spending cap on the key via OpenAI's platform. If your site allows open subscriber registration, treat this as actively exploitable.

Is CVE-2025-12360 actively exploited?

No confirmed active exploitation of CVE-2025-12360 has been reported, but organizations should still patch proactively.

How to fix CVE-2025-12360?

1. PATCH: Update plugin to 1.7.8+ immediately — the changeset at trac.wordpress.org confirms the capability check fix. 2. ROTATE KEY: Invalidate the OpenAI API key stored in WordPress settings and generate a new scoped key. 3. SCOPE THE KEY: Create a dedicated OpenAI API key for this plugin with spending caps and rate limits via platform.openai.com. 4. AUDIT USAGE: Review OpenAI usage dashboard for anomalous spikes in the 90 days prior to patching. 5. HARDEN REGISTRATION: Disable open subscriber registration if not required or add email verification. 6. ALERT: Configure OpenAI usage threshold alerts to detect future abuse within hours.

What systems are affected by CVE-2025-12360?

This vulnerability affects the following AI/ML architecture patterns: WordPress AI plugin integrations, Third-party LLM API key management, CMS-integrated AI features, Shared API credential deployments.

What is the CVSS score for CVE-2025-12360?

CVE-2025-12360 has a CVSS v3.1 base score of 4.3 (MEDIUM). The EPSS exploitation probability is 0.19%.

What is the AI security impact?

Affected AI Architectures

WordPress AI plugin integrationsThird-party LLM API key managementCMS-integrated AI featuresShared API credential deployments

MITRE ATLAS Techniques

AML.T0012 Valid Accounts
AML.T0029 Denial of AI Service
AML.T0034 Cost Harvesting
AML.T0040 AI Model Inference API Access
AML.T0048.000 Financial Harm
AML.T0049 Exploit Public-Facing Application

Compliance Controls Affected

ISO 42001: A.6.2
NIST AI RMF: GOVERN 1.1
OWASP LLM Top 10: LLM04, LLM07

What are the technical details?

Original Advisory

The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level access, to trigger OpenAI API key usage resulting in quota consumption potentially incurring cost.

Exploitation Scenario

Attacker registers a free subscriber account on a WordPress site (or uses a compromised low-privilege account). They identify the vulnerable plugin via the WordPress admin interface or plugin enumeration. They send repeated authenticated POST requests to wp-admin/admin-ajax.php with action=rtafar_ajax, triggering OpenAI completions using the site's stored API key. With a simple script, an attacker can exhaust a $100/month quota in under an hour, disable the plugin's AI features for legitimate editors, and potentially trigger overage charges or account suspension. No special tools or AI expertise required.

Weaknesses (CWE)

CWE-285 Improper Authorization

CWE-285 — Improper Authorization: The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.

  • [Architecture and Design] Divide the product into anonymous, normal, privileged, and administrative areas. Reduce the attack surface by carefully mapping roles with data and functionality. Use role-based access control (RBAC) to enforce the roles at the appropriate boundaries. Note that this approach may not protect against horizontal authorization, i.e., it will not protect a user from attacking others with the same role.
  • [Architecture and Design] Ensure that you perform access control checks related to your business logic. These checks may be different than the access control checks that you apply to more generic resources such as files, connections, processes, memory, and database records. For example, a database may restrict access for medical records to a specific database user, but each record might only be intended to be accessible to the patient and the patient's doctor.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

References

Timeline

Published
November 6, 2025
Last Modified
April 15, 2026
First Seen
November 6, 2025

Related Vulnerabilities

CRITICAL CVE-2026-21858 10.0

n8n: Input Validation flaw enables exploitation

Same attack type: Auth Bypass
CRITICAL GHSA-vvpj-8cmc-gx39 10.0

picklescan: security flaw enables exploitation

Same attack type: Auth Bypass
CRITICAL CVE-2025-2828 10.0

LangChain RequestsToolkit: SSRF exposes cloud metadata

Same attack type: Auth Bypass
CRITICAL CVE-2025-53767 10.0

Azure OpenAI: SSRF EoP, no auth required (CVSS 10)

Same attack type: Auth Bypass
CRITICAL CVE-2026-26030 10.0

semantic-kernel: Code Injection enables RCE

Same attack type: Auth Bypass
Back to Threat Feed