Plugin is vulnerable to unauthorized arbitrary media attachment deletion due to a missing authorization check. This is due to the REST API endpoint `/wp-json/aioseo/v1/ai/image-generator` only verifying that users have the `edit_posts` capability (Contributors and above) without checking if they own or have permission to delete the specific media attachments.
This vulnerability affects the following application versions:
- All in One SEO Pack 4.8.8
- All in One SEO Pack 4.8.9