AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

CVE-2025-12360: The Better Find and Replace – AI-Powered Suggestions plugin for WordPress is vulnerable to unauthorized API usage due to

mediumvulnerabilityLLM-Specific

security

Source: NVD/CVE DatabaseNovember 6, 2025CVE-2025-12360

Summary

The Better Find and Replace plugin for WordPress (versions up to 1.7.7) has a security flaw where a function called rtafar_ajax() doesn't properly check user permissions, allowing low-level authenticated users (Subscriber-level access) to trigger OpenAI API key usage and consume quota, potentially costing money. This happens because the code is missing a capability check (a permission verification system that controls what users can do).

Vulnerability Details

CVSS Score

4.3(medium)

EPSS (30-day exploit probability)

EPSS: 0.0%

Classification

Attack Type

Other

Attack SophisticationTrivial

Impact (CIA+S)

integrityavailability

Taxonomy References

CWE (Weakness Type)

CWE-285

Affected Vendors

OpenAI

Related Issues

high

Anthropic accuses Chinese AI labs of mining Claude as US debates AI chip exports

Same vendorTechCrunch

high

CVE-2022-21727: Tensorflow is an Open Source Machine Learning Framework. The implementation of shape inference for `Dequantize` is vulne

First tracked: February 15, 2026 at 08:49 PM

Classified by LLM (prompt v3) · confidence: 85%