Description
Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Retrieve Embedded Sensitive Data.This issue affects All In One SEO Pack: from n/a through <= 4.8.6.1.
Published: 2025-12-18
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability allows the injection of sensitive information into sent data, enabling an attacker to retrieve embedded confidential data. The weakness is identified as CWE-201, which typifies unintended exposure of data that should remain confidential. A successful exploitation can lead to the disclosure of private configuration or user information, potentially compromising the integrity and confidentiality of the host system and its data.

Affected Systems

Syed Balkhi’s All In One SEO Pack plugin for WordPress is affected. Versions from the earliest releases up through 4.8.6.1 are vulnerable, with the issue documented for all releases prior to and including 4.8.6.1.

Risk and Exploitability

The CVSS score of 6.5 indicates a moderate severity vulnerability. The EPSS score of < 1% shows an exceptionally low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is through normal interactions with the plugin within a WordPress site, such as reviewing or creating content that triggers the plugin’s data handling routines. An attacker would need to exploit the plugin’s data processing path to read the sensitive data that is inadvertently included in outgoing content.

Generated by OpenCVE AI on April 29, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade All In One SEO Pack to version 4.9.0 or later, or to the latest available release, to eliminate the data exposure flaw.
  • If an immediate upgrade is not possible, disable or remove the plugin from the WordPress site to prevent the vulnerable code from executing.
  • After deactivation, identify and remove any configuration settings or files that might still expose sensitive data through other plugins or components.

Generated by OpenCVE AI on April 29, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Fri, 19 Dec 2025 09:30:00 +0000

Type Values Removed Values Added
First Time appeared Syed Balkhi
Syed Balkhi all In One Seo Pack
Wordpress
Wordpress wordpress
Vendors & Products Syed Balkhi
Syed Balkhi all In One Seo Pack
Wordpress
Wordpress wordpress

Thu, 18 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 18 Dec 2025 07:45:00 +0000

Type Values Removed Values Added
Description Insertion of Sensitive Information Into Sent Data vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Retrieve Embedded Sensitive Data.This issue affects All In One SEO Pack: from n/a through <= 4.8.6.1.
Title WordPress All In One SEO Pack plugin <= 4.8.6.1 - Sensitive Data Exposure vulnerability
Weaknesses CWE-201
References

Subscriptions

Syed Balkhi All In One Seo Pack
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-29T09:51:55.857Z

Reserved: 2025-10-29T03:42:18.167Z

Link: CVE-2025-64295

cve-icon Vulnrichment

Updated: 2025-12-18T16:34:35.693Z

cve-icon NVD

Status : Deferred

Published: 2025-12-18T08:16:13.873

Modified: 2026-04-15T00:35:42.020

Link: CVE-2025-64295

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-29T19:00:06Z

Weaknesses