Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2025-12360

Summary
Assigner-Wordfence
Assigner Org ID-b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At-06 Nov, 2025 | 07:27
Updated At-06 Nov, 2025 | 14:51
Rejected At-
Credits

Better Find and Replace <= 1.7.7 - Missing Authorization

The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level access, to trigger OpenAI API key usage resulting in quota consumption potentially incurring cost.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:Wordfence
Assigner Org ID:b15e7b5b-3da4-40ae-a43c-f7aa60e62599
Published At:06 Nov, 2025 | 07:27
Updated At:06 Nov, 2025 | 14:51
Rejected At:
▼CVE Numbering Authority (CNA)
Better Find and Replace <= 1.7.7 - Missing Authorization

The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level access, to trigger OpenAI API key usage resulting in quota consumption potentially incurring cost.

Affected Products
Vendor
codesolz
Product
Better Find and Replace – AI-Powered Suggestions
Default Status
unaffected
Versions
Affected
  • From * through 1.7.7 (semver)
Problem Types
TypeCWE IDDescription
CWECWE-285CWE-285 Improper Authorization
Type: CWE
CWE ID: CWE-285
Description: CWE-285 Improper Authorization
Metrics
VersionBase scoreBase severityVector
3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
Adrian Lukita
Timeline
EventDate
Vendor Notified2025-10-28 04:23:43
Disclosed2025-11-05 19:08:46
Event: Vendor Notified
Date: 2025-10-28 04:23:43
Event: Disclosed
Date: 2025-11-05 19:08:46
Replaced By
Rejected Reason
References
HyperlinkResource
https://www.wordfence.com/threat-intel/vulnerabilities/id/757e41dd-d72f-4e87-a087-c5c38bd727e5?source=cve
N/A
https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php#L31
N/A
https://plugins.trac.wordpress.org/changeset/3389979/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php?contextall=1&old=3343531&old_path=%2Freal-time-auto-find-and-replace%2Ftrunk%2Fcore%2Factions%2FRTAFAR_CustomAjax.php
N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/757e41dd-d72f-4e87-a087-c5c38bd727e5?source=cve
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php#L31
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset/3389979/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php?contextall=1&old=3343531&old_path=%2Freal-time-auto-find-and-replace%2Ftrunk%2Fcore%2Factions%2FRTAFAR_CustomAjax.php
Resource: N/A
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security@wordfence.com
Published At:06 Nov, 2025 | 08:15
Updated At:06 Nov, 2025 | 19:45

The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to a missing capability check on the rtafar_ajax() function in all versions up to, and including, 1.7.7. This makes it possible for authenticated attackers, with Subscriber-level access, to trigger OpenAI API key usage resulting in quota consumption potentially incurring cost.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Primary3.14.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Type: Primary
Version: 3.1
Base score: 4.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-285Primarysecurity@wordfence.com
CWE ID: CWE-285
Type: Primary
Source: security@wordfence.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php#L31security@wordfence.com
N/A
https://plugins.trac.wordpress.org/changeset/3389979/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php?contextall=1&old=3343531&old_path=%2Freal-time-auto-find-and-replace%2Ftrunk%2Fcore%2Factions%2FRTAFAR_CustomAjax.phpsecurity@wordfence.com
N/A
https://www.wordfence.com/threat-intel/vulnerabilities/id/757e41dd-d72f-4e87-a087-c5c38bd727e5?source=cvesecurity@wordfence.com
N/A
Hyperlink: https://plugins.trac.wordpress.org/browser/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php#L31
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://plugins.trac.wordpress.org/changeset/3389979/real-time-auto-find-and-replace/trunk/core/actions/RTAFAR_CustomAjax.php?contextall=1&old=3343531&old_path=%2Freal-time-auto-find-and-replace%2Ftrunk%2Fcore%2Factions%2FRTAFAR_CustomAjax.php
Source: security@wordfence.com
Resource: N/A
Hyperlink: https://www.wordfence.com/threat-intel/vulnerabilities/id/757e41dd-d72f-4e87-a087-c5c38bd727e5?source=cve
Source: security@wordfence.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

57Records found
CVE-2025-12005
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 10.76%
||
7 Day CHG~0.00%
Published-25 Oct, 2025 | 05:31
Updated-27 Oct, 2025 | 15:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress <= 8.5.41 - Improper Authorization to Authenticated (Contributor+) Plugin Settings Update

The WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress plugin for WordPress is vulnerable to unauthorized access of data in all versions up to, and including, 8.5.41. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with contributor level access and above, to modify sensitive plugin options.

Action-Not Available
Vendor-rextheme
Product-WP VR – 360 Panorama and Free Virtual Tour Builder For WordPress
CWE ID-CWE-285
Improper Authorization
CVE-2022-29234
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.33% / 55.08%
||
7 Day CHG~0.00%
Published-01 Jun, 2022 | 23:20
Updated-23 Apr, 2025 | 18:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Grace period for lock settings in public/private chats in BigBlueButton

BigBlueButton is an open source web conferencing system. Starting in version 2.2 and prior to versions 2.3.18 and 2.4.1, an attacker could send messages to a locked chat within a grace period of 5s any lock setting in the meeting was changed. The attacker needs to be a participant in the meeting. Versions 2.3.18 and 2.4.1 contain a patch for this issue. There are currently no known workarounds.

Action-Not Available
Vendor-bigbluebuttonbigbluebutton
Product-bigbluebuttonbigbluebutton
CWE ID-CWE-285
Improper Authorization
CVE-2025-10902
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.04% / 11.57%
||
7 Day CHG~0.00%
Published-24 Oct, 2025 | 08:24
Updated-27 Oct, 2025 | 13:20
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Originality.ai AI Checker <= 1.0.12 - Missing Authorization to Authenticated (Subscriber+) Scan Log Deletion via ' ai_scan_result_remove'

The Originality.ai AI Checker plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'ai_scan_result_remove' function in all versions up to, and including, 1.0.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to delete all data in the wp_originalityai_log database table, which can include post titles, scan scores, credits used, and other data.

Action-Not Available
Vendor-originalityai
Product-Originality.ai AI Checker
CWE ID-CWE-285
Improper Authorization
CVE-2025-11510
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.05% / 14.65%
||
7 Day CHG+0.01%
Published-18 Oct, 2025 | 06:42
Updated-21 Oct, 2025 | 19:31
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
FileBird <= 6.4.9 - Improper Authorization to Authenticated (Author+) Settings Reset

The FileBird – WordPress Media Library Folders & File Manager plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the /filebird/v1/fb-wipe-clear-all-data function in all versions up to, and including, 6.4.9. This makes it possible for authenticated attackers, with author-level access and above, to reset all of the plugin's configuration data.

Action-Not Available
Vendor-NinjaTeam
Product-FileBird – WordPress Media Library Folders & File Manager
CWE ID-CWE-285
Improper Authorization
CVE-2025-10422
Matching Score-4
Assigner-VulDB
ShareView Details
Matching Score-4
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-0.03% / 8.29%
||
7 Day CHG-0.03%
Published-15 Sep, 2025 | 02:32
Updated-14 Oct, 2025 | 19:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
newbee-mall Order Status paySuccess improper authorization

A vulnerability has been found in newbee-mall up to 613a662adf1da7623ec34459bc83e3c1b12d8ce7. This issue affects the function paySuccess of the file /paySuccess of the component Order Status Handler. The manipulation of the argument orderNo leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided.

Action-Not Available
Vendor-newbee-mall_projectn/a
Product-newbee-mallnewbee-mall
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2024-9531
Matching Score-4
Assigner-Wordfence
ShareView Details
Matching Score-4
Assigner-Wordfence
CVSS Score-4.3||MEDIUM
EPSS-0.14% / 33.31%
||
7 Day CHG~0.00%
Published-24 Oct, 2024 | 07:35
Updated-05 Jun, 2025 | 16:56
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution <= 4.2.4 - Missing Authorization to Forged Vendor Profile Deletion Email Sending

The MultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'mvx_sent_deactivation_request' function in all versions up to, and including, 4.2.4. This makes it possible for authenticated attackers, with Subscriber-level access and above, to send a canned email to the site's administrator asking to delete the profile of an arbitrary vendor.

Action-Not Available
Vendor-multivendorxwcmp
Product-multivendorxMultiVendorX – The Ultimate WooCommerce Multivendor Marketplace Solution
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-862
Missing Authorization
CVE-2025-23024
Matching Score-4
Assigner-GitHub, Inc.
ShareView Details
Matching Score-4
Assigner-GitHub, Inc.
CVSS Score-6.9||MEDIUM
EPSS-0.11% / 28.95%
||
7 Day CHG~0.00%
Published-25 Feb, 2025 | 15:47
Updated-04 Mar, 2025 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GLPI: Plugins are disabled accessing one page

GLPI is a free asset and IT management software package. Starting in version 0.72 and prior to version 10.0.18, an anonymous user can disable all the active plugins. Version 10.0.18 contains a patch. As a workaround, one may delete the `install/update.php` file.

Action-Not Available
Vendor-GLPI Project
Product-glpiglpi
CWE ID-CWE-285
Improper Authorization
  • Previous
  • 1
  • 2
  • Next
Details not found