{"data":{"id":"812d9aa0-b37f-4753-8e48-21cb4fd74dd8","title":"CVE-2025-12360: The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to","summary":"The Better Find and Replace plugin for WordPress (versions up to 1.7.7) has a security flaw where a function called rtafar_ajax() doesn't properly check user permissions, allowing low-level authenticated users (Subscriber-level access) to trigger OpenAI API key usage and consume quota, potentially costing money. This happens because the code is missing a capability check (a permission verification system that controls what users can do).","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2025-12360","publishedAt":"2025-11-06T13:15:38.720Z","cveId":"CVE-2025-12360","cweIds":["CWE-285"],"cvssScore":"4.3","cvssSeverity":"medium","severity":"medium","attackType":["other"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["OpenAI"],"affectedVendorsRaw":["OpenAI"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0.00045,"patchAvailable":null,"disclosureDate":null,"capecIds":null,"crossRefCount":0,"attackSophistication":"trivial","impactType":["integrity","availability"],"aiComponentTargeted":"api","llmSpecific":true,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":null}}