Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Blind SQL Injection.This issue affects All In One SEO Pack: from n/a through <= 4.9.1.
Published: 2025-12-16
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Blind SQL Injection
Action: Patch Now
AI Analysis

Impact

An SQL injection flaw exists in the All In One SEO Pack plugin developed by Syed Balkhi. The vulnerability allows an attacker to embed malicious SQL commands that are executed by the WordPress database engine, enabling the attacker to read, modify, or delete data stored in the WordPress database. This can compromise the confidentiality, integrity, or availability of site content or configuration. The weakness is classified as CWE‑89, Improper Neutralization of Special Elements used in an SQL Command.

Affected Systems

WordPress sites running the All In One SEO Pack plugin version 4.9.1 or earlier are at risk. The affected package is identified as Syed Balkhi:All In One SEO Pack. Any instance of the plugin with a version number 4.9.1 or lower is considered vulnerable.

Risk and Exploitability

The CVSS score is 8.5, indicating high severity. The EPSS score is less than 1%, suggesting that the likelihood of an active exploitation at scale is low but not negligible. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is web-based, exploiting the plugin’s handling of user input through HTTP requests. Successful exploitation would provide an attacker with blind read or modify capabilities against the WordPress database, potentially leading to full compromise of the installation.

Generated by OpenCVE AI on April 28, 2026 at 10:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the All In One SEO Pack plugin to version 4.9.2 or newer to apply the SQL injection fix.
  • If an update cannot be applied immediately, disable the All In One SEO Pack plugin to eliminate the injection surface.
  • Monitor the WordPress database and server logs for suspicious activity and irregular queries that may indicate attempted or successful exploitation.

Generated by OpenCVE AI on April 28, 2026 at 10:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 23 Apr 2026 15:00:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

 cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L'}

Tue, 20 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Tue, 20 Jan 2026 14:45:00 +0000

Type Values Removed Values Added
References

Tue, 16 Dec 2025 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 16 Dec 2025 21:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.5, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H'}

Tue, 16 Dec 2025 17:15:00 +0000

Type Values Removed Values Added
First Time appeared Syed Balkhi
Syed Balkhi all In One Seo Pack
Wordpress
Wordpress wordpress
Vendors & Products Syed Balkhi
Syed Balkhi all In One Seo Pack
Wordpress
Wordpress wordpress

Tue, 16 Dec 2025 08:30:00 +0000

Type Values Removed Values Added
Description Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Blind SQL Injection.This issue affects All In One SEO Pack: from n/a through <= 4.9.1.
Title WordPress All In One SEO Pack plugin <= 4.9.1 - SQL Injection vulnerability
Weaknesses CWE-89
References

Subscriptions

Syed Balkhi All In One Seo Pack
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Patchstack

Published:

Updated: 2026-04-28T16:14:24.486Z

Reserved: 2025-12-15T10:00:16.552Z

Link: CVE-2025-67950

cve-icon Vulnrichment

Updated: 2025-12-16T20:08:44.034Z

cve-icon NVD

Status : Deferred

Published: 2025-12-16T09:15:59.580

Modified: 2026-04-27T18:16:51.233

Link: CVE-2025-67950

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T10:15:28Z

Weaknesses