WordPress Plugin Vulnerabilities

All in One SEO < 4.9.3 - Contributor+ AI Access Token and Credit Disclosure

Description

The plugin is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.

Affects Plugins

Plugin icon
all-in-one-seo-pack
Fixed in 4.9.3

References

CVE
CVE-2025-14384
URL
https://www.wordfence.com/threat-intel/vulnerabilities/id/f47d53e1-42ac-425e-a6f2-901a6d26845d

Classification

Type
NO AUTHORISATION
OWASP top 10
A5: Broken Access Control
CWE
CWE-862
CVSS
2.7 (low)

Miscellaneous

Original Researcher
NosleeP++
Verified
No
WPVDB ID
c2942498-4625-49f1-8d9a-429f0f1a8dd8

Timeline

Publicly Published
2026-01-15 (about 3 months ago)
Added
2026-01-15 (about 3 months ago)
Last Updated
2026-01-15 (about 3 months ago)

Other

Published
Title
Published
2024-06-10
Title
Advanced Contact form 7 DB < 2.0.3 - Missing Authorization to Unauthenticated Information Disclosure
Published
2026-04-09
Title
Download Manager < 3.3.52 - Missing Authorization to Authenticated (Contributor+) Media File Protection Removal
Published
2025-12-31
Title
Hotel Booking <= 3.8 - Missing Authorization
Published
2025-09-22
Title
Team < 5.0.7 - Missing Authorization
Published
2026-04-23
Title
HubSpot All-In-One Marketing - Forms, Popups, Live Chat < 11.3.33 - Missing Authorization to Authenticated (Contributor+) Installed Plugin Disclosure