WordPress Plugin Vulnerabilities

All in One SEO Pack < 2.2.6 - Information Disclosure

Description

The Semper Fi All in One SEO Pack plugin before 2.2.6 for WordPress does not consider the presence of password protection during generation of the Meta Description field, which allows remote attackers to obtain sensitive information by reading HTML source code.

Affects Plugins

Plugin icon
all-in-one-seo-pack
Fixed in 2.2.6

References

CVE
CVE-2015-0902
URL
https://jvn.jp/en/jp/JVN75615300/index.html
URL
https://web.archive.org/web/20150809074225/http://semperfiwebdesign.com/blog/all-in-one-seo-pack/all-in-one-seo-pack-release-history/

Classification

Type
AUTHBYPASS
OWASP top 10
A2: Broken Authentication and Session Management
CWE
CWE-287

Miscellaneous

Original Researcher
Fumito MIZUNO of rescuework.inc
Verified
No
WPVDB ID
de4706de-f388-41b9-af91-bd4677a7166e

Timeline

Publicly Published
2015-03-31 (about 11 years ago)
Added
2015-04-03 (about 11 years ago)
Last Updated
2020-04-12 (about 6 years ago)

Other

Published
Title
Published
2016-12-23
Title
BuddyPress 2.0-2.7.3 - Arbitrary File Deletion
Published
2018-10-20
Title
Accelerated Mobile Pages <= 0.9.97.19 - Multiple Unauthenticated Vulnerabilities
Published
2024-10-24
Title
Comments – wpDiscuz < 7.6.25 - Authentication Bypass
Published
2025-07-17
Title
LoginPress Pro < 5.0.2 - Authentication Bypass via WordPress.com OAuth provider
Published
2024-10-25
Title
WatchTowerHQ < 3.10.4 - Authentication Bypass to Administrator due to Missing Empty Value Check