Description
The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for low-privilege users. This makes it possible for authenticated attackers, with contributor-level access and above, to view configured API/OAuth tokens and license-related values from page source.
Published: 2026-05-20
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The All in One SEO plugin for WordPress contains a flaw that allows authenticated users with contributor level or higher to view sensitive internal data. When a post‑editor page loads, the plugin passes its internalOptions to wp_localize_script without masking. This exposes API/OAuth tokens and license values directly in page source. The result is a confidentiality breach, enabling an attacker to obtain credentials that could be used to access external services or to compromise the site further. The weakness is classified as CWE-200.

Affected Systems

WordPress installations that include the All in One SEO plugin version 4.9.7 or earlier are affected. The issue surfaces only in environments where the post editor is used, so sites that host content editors and have contributors or higher permission roles are at risk. Administrators should check for any installed version of the plugin that matches or is older than 4.9.7.

Risk and Exploitability

The CVSS score is 4.3, indicating a moderate severity. The EPSS score is not available, and the vulnerability is not listed in CISA’s KEV. The attack requires authenticated access with contributor rights or higher, so privilege escalation is not necessary. However, once logged in, an attacker can simply view the page source to harvest exposed tokens. Given the broad user base of WordPress and the many sites that still run older versions, the exposure poses a notable risk to confidentiality, but the exploitability is limited to trusted users of the site.

Generated by OpenCVE AI on May 20, 2026 at 06:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade All in One SEO to the latest version that removes the internalOptions from localized script output.
  • Exclude the internalOptions array from wp_localize_script during post editor rendering to eliminate accidental exposure.
  • Revoke or rotate any OAuth tokens and API keys that have been exposed, and ensure they are stored securely.
  • Audit user roles to restrict contributor access to only those who truly need it, minimizing the number of users with the ability to trigger the exposed script.

Generated by OpenCVE AI on May 20, 2026 at 06:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 20 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 20 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Smub
Smub all In One Seo – Powerful Seo Plugin To Boost Seo Rankings & Increase Traffic
Wordpress
Wordpress wordpress
Vendors & Products Smub
Smub all In One Seo – Powerful Seo Plugin To Boost Seo Rankings & Increase Traffic
Wordpress
Wordpress wordpress

Wed, 20 May 2026 05:00:00 +0000

Type Values Removed Values Added
Description The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for low-privilege users. This makes it possible for authenticated attackers, with contributor-level access and above, to view configured API/OAuth tokens and license-related values from page source.
Title All in One SEO <= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via 'internalOptions' Localized Script Data
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Smub All In One Seo – Powerful Seo Plugin To Boost Seo Rankings & Increase Traffic
Wordpress Wordpress
cve-icon MITRE

Status: PUBLISHED

Assigner: Wordfence

Published:

Updated: 2026-05-20T14:17:02.195Z

Reserved: 2026-03-28T13:09:05.383Z

Link: CVE-2026-5075

cve-icon Vulnrichment

Updated: 2026-05-20T14:16:58.362Z

cve-icon NVD

Status : Deferred

Published: 2026-05-20T05:16:22.120

Modified: 2026-05-20T13:54:54.890

Link: CVE-2026-5075

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-20T10:37:57Z

Weaknesses