Primary

Context

All in One SEO WordPress Plugin Sensitive Information Exposure Vulnerability

Vulnerability

Patched

A vulnerability allowing sensitive information exposure has been identified in the All in One SEO plugin for WordPress, affecting versions through 4.9.7. The issue arises from internal option data being sent to wp_localize_script() in post editor contexts, without proper masking for users with low privileges. This flaw enables authenticated attackers with contributor-level access and above to access API/OAuth tokens and license-related information from the page source.

Impact

Exploitation of this vulnerability allows authenticated users with contributor-level access and above to view sensitive internal option data, including API/OAuth tokens and license-related values, through the page source.

Remediation

Users are advised to update the All in One SEO plugin to version 4.9.7.1 or a newer patched version.

Added: May 20, 2026, 5:21 AM

Updated: May 20, 2026, 5:21 AM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

2.5

exploitability

6.1

remediation

7.7

relevance

8.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

2.5

exploitability

6.1

remediation

7.7

relevance

8.7

threat

3.2

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

All in One SEO WordPress Plugin Sensitive Information Exposure Vulnerability

Vulnerability

Impact

Remediation

Affected Products

All in One SEO

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating