CVE-2026-5075
Sensitive Information Exposure in All in One SEO WordPress Plugin
Publication date: 2026-05-20
Last updated on: 2026-05-20
Assigner: Wordfence
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| all_in_one_seo | all_in_one_seo | to 4.9.7 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The All in One SEO plugin for WordPress versions up to and including 4.9.7 has a vulnerability where sensitive internal option data is exposed via the 'internalOptions' localized script data. This happens because sensitive data is passed to the wp_localize_script() function in post editor contexts without proper masking for users with low privileges.
As a result, authenticated attackers with contributor-level access or higher can view sensitive information such as configured API/OAuth tokens and license-related values by inspecting the page source.
How can this vulnerability impact me? :
This vulnerability allows attackers with contributor-level access or above to access sensitive information like API/OAuth tokens and license-related data that should normally be protected.
Exposure of such sensitive tokens can lead to unauthorized access to external services or APIs, potentially compromising the security of the website or connected systems.