CVE-2025-14384
BaseFortify
Publication date: 2026-01-16
Last updated on: 2026-01-16
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| semperfi | webmaster | to 4.9.2 (inc) |
| semperfi | webmaster | 4.9.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the All in One SEO plugin for WordPress, where a missing capability check on the /aioseo/v1/ai/credits REST route allows authenticated users with Contributor-level access or higher to access sensitive data. Specifically, these users can disclose the global AI access token without proper authorization.
How can this vulnerability impact me? :
The impact of this vulnerability is that an attacker with Contributor-level access or above can obtain the global AI access token, which could potentially be used to access or manipulate AI-related features or data within the plugin. This unauthorized disclosure could lead to misuse of AI services or compromise of related data.
What immediate steps should I take to mitigate this vulnerability?
Update the All in One SEO plugin to version 4.9.3 or later, as this version includes a comprehensive update that likely addresses the vulnerability. Until the update is applied, restrict Contributor-level access and above to trusted users only to reduce the risk of unauthorized data disclosure. [2]