Description
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
Published: 2026-01-16
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Sensitive Data Disclosure
Action: Apply Patch
AI Analysis

Impact

The All in One SEO plugin for WordPress is vulnerable due to a missing capability check on the "/aioseo/v1/ai/credits" REST endpoint. Authenticated users with Contributor-level access or higher can send requests to this route and retrieve the global AI access token. This flaw is an instance of CWE‑862 Unauthorized Access. Exposing the token can allow attackers to misuse the AI service or gain additional privileged actions within the WordPress site.

Affected Systems

This vulnerability affects the All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic by smub, versions up to and including 4.9.2. No other versions or products are listed as affected.

Risk and Exploitability

The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not currently in CISA KEV. An attacker must be authenticated and hold at least Contributor permissions to exploit the flaw, which reduces the attack surface but still permits sensitive information disclosure if the token is captured.

Generated by OpenCVE AI on April 20, 2026 at 21:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the All in One SEO plugin to the latest version that includes a capability check for the AI credits endpoint.
  • If an update is not immediately possible, restrict Contributor and higher roles from accessing the "/aioseo/v1/ai/credits" route by removing the relevant capability or disabling the endpoint through configuration.
  • Review any exposed AI access tokens that may have been retrieved and revoke or rotate them to prevent misuse.

Generated by OpenCVE AI on April 20, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 16 Jan 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Smub
Smub all In One Seo
Wordpress
Wordpress wordpress
Vendors & Products Smub
Smub all In One Seo
Wordpress
Wordpress wordpress
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 16 Jan 2026 05:00:00 +0000

Type Values Removed Values Added
Description The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
Title All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) AI Access Token and Credit Disclosure
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Smub All In One Seo
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-04-08T17:33:09.679Z

Reserved: 2025-12-09T19:40:21.846Z

Link: CVE-2025-14384

cve-icon Vulnrichment

Updated: 2026-01-16T14:10:17.699Z

cve-icon NVD

Status : Deferred

Published: 2026-01-16T05:16:11.623

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-14384

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-20T21:15:20Z

Weaknesses