All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic Vulnerability – Missing Authorization to Authenticated (Contributor+) AI Access Token and Credit Disclosure – CVE-2025-14384 | WordPress Plugin Vulnerability Report

Plugin Name: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic

Key Information:

Software Type: Plugin
Software Slug: all-in-one-seo-pack
Software Status: Patched
Software Author: smub
Software Downloads: 196,420,959
Active Installs: 3,000,000
Last Updated: January 16, 2026
Patched Versions: 4.9.3
Affected Versions: ≤ 4.9.2

Vulnerability Details:

Name: All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic ≤ 4.9.2 – Missing Authorization to Authenticated AI Access Token Disclosure
Title: Missing Authorization to Authenticated (Contributor+) AI Access Token and Credit Disclosure
Type: Missing Authorization / Improper Access Control
CVE: CVE-2025-14384
CVSS Score: 4.3 (Medium)
Publicly Published: January 15, 2026
Researcher: NosleeP++
Description: The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of sensitive data due to a missing capability check on the /aioseo/v1/ai/credits REST API route in all versions up to, and including, 4.9.2. This flaw allows authenticated attackers with Contributor-level access or higher to disclose the global AI access token.

Summary:

The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress contains a vulnerability in versions up to and including 4.9.2 that allows authenticated users with Contributor-level permissions or higher to access and disclose the site’s global AI access token. This vulnerability has been patched in version 4.9.3.

Detailed Overview:

This vulnerability is caused by a missing authorization (capability) check on the /aioseo/v1/ai/credits REST endpoint. As a result, any logged-in user with Contributor-level access or higher can query this endpoint and retrieve sensitive AI-related information, including the global AI access token used by the plugin.

While this issue does not allow anonymous attackers or direct remote code execution, it represents a breakdown in access control. Sensitive credentials should only be accessible to administrators, and exposing them to lower-privileged users increases the risk of misuse, abuse of paid AI services, or unintended disclosure.

The vulnerability was responsibly disclosed by security researcher NosleeP++ and publicly published in January 2026. The plugin developers responded quickly, releasing version 4.9.3 to properly restrict access to the affected endpoint.

Advice for Users:

Immediate Action: Users should update the All in One SEO plugin to version 4.9.3 or later immediately to fully remediate the vulnerability.

Check for Signs of Vulnerability: Review your WordPress user roles and ensure that only trusted users have Contributor-level access or higher. If your site uses AI features, consider rotating any exposed tokens and monitor for unusual AI usage or unexpected charges.

Alternate Plugins: Although a patch is available, some users may wish to evaluate alternative SEO plugins, particularly if they operate multi-author websites or rely heavily on third-party integrations.

Stay Updated: Always keep WordPress core, themes, and plugins updated. Security vulnerabilities are frequently discovered in even the most popular plugins, and updates are the primary line of defense.

Conclusion:

The swift patch released for this vulnerability highlights the importance of keeping plugins up to date. Website owners should ensure they are running All in One SEO version 4.9.3 or later to prevent unauthorized access to sensitive AI credentials and maintain a secure WordPress environment.

References:

WordPress Plugin Repository
Security Research Disclosure by NosleeP++

Conclusion:

Keeping WordPress websites secure is an ongoing challenge, especially for small business owners who do not have the time to monitor vulnerability disclosures or security advisories. This vulnerability demonstrates that even widely trusted plugins with millions of active installs can expose sensitive data when updates are delayed.

All in One SEO is a powerful plugin used to improve search rankings and manage SEO settings, and affected versions prior to 4.9.3 contain an access control flaw that could allow internal users to view confidential AI credentials. While the severity is moderate, the potential for misuse and unexpected costs makes it a real concern for business owners.

If exploited, this vulnerability could result in unauthorized use of AI services, increased expenses, or broader security concerns stemming from improper permission boundaries. Because these issues often leave no obvious signs, many site owners may not realize their site is at risk.

The best protection is simple: apply updates promptly and regularly. For business owners who cannot dedicate time to security maintenance, professional WordPress maintenance and monitoring services can help ensure vulnerabilities are patched quickly, risks are minimized, and peace of mind is maintained.

Staying proactive with updates and security hygiene is one of the most effective ways to protect your website, your data, and your business reputation.