AI Search
A newly disclosed security vulnerability in the All In One SEO ecosystem has drawn attention across the WordPress community due to its potential reach and impact. The flaw affects the widely used AIOSEO plugin, which is active on more than 3 million WordPress websites. It allows low-privileged users to access a site-wide AI access token tied to the plugin’s artificial intelligence features.
The issue adds to a growing list of security problems involving All In One SEO in 2025. According to security researchers, this is the sixth vulnerability disclosed for the plugin this year, raising concerns about recurring authorization and permission-related weaknesses.
The AIOSEO plugin is one of the most popular SEO tools in the WordPress ecosystem. It helps site owners manage essential optimization tasks such as generating metadata, creating XML sitemaps, adding structured data, and improving on-page SEO performance.
In recent versions, All In One SEO also introduced AI-powered tools designed to help users write SEO titles, meta descriptions, blog posts, FAQs, social media content, and generate images. These AI features rely on a global AI access token that allows the plugin to communicate with external AIOSEO AI services on behalf of the site.
The vulnerability was traced to a missing permission check in a REST API endpoint used by the All In One SEO plugin. According to Wordfence, the issue allowed users with Contributor-level access or higher to retrieve sensitive AI-related data.
This endpoint is intended to return information about a site’s AI usage and remaining credits. However, it failed to verify whether the user making the request was authorized to view that information. As a result, the plugin exposed the site’s global AI access token to low-privilege users.
Contributor is one of the lowest privilege roles in WordPress. Many websites grant Contributor access to guest authors, freelancers, or editorial staff so they can submit drafts for review.
By exposing a site-wide AI token to these users, All In One SEO effectively allowed broad access to a credential that controls AI functionality across the entire site. That token could be misused in several ways.
While the vulnerability does not enable direct code execution, it still presents meaningful risks:
The vulnerability affects all versions of All In One SEO up to and including version 4.9.2. It was addressed in version 4.9.3. In the official plugin changelog, the developers described the fix as:
“Hardened API routes to prevent AI access token from being exposed.”
This change directly resolves the missing permission check identified in the REST API endpoint.
Anyone using All In One SEO on a WordPress site should update to version 4.9.3 or newer as soon as possible. Sites that allow multiple Contributors or external collaborators face a higher risk, as low-privilege accounts could access the AI token on vulnerable versions.
Regularly updating WordPress plugins, especially those like AIOSEO, which integrate AI services and external APIs, remains one of the most effective ways to reduce exposure to security risks.
#1 Trending Cybersecurity News and Magazine
The Cyber Express is a handbook for all stakeholders of the internet that provides information security professionals with the latest news, updates and knowledge they need to combat cyber threats.
For editorial queries: [email protected]
For marketing and Sales: [email protected]
We’re remote friendly, with office locations around the world:
San Francisco, Atlanta, Rome,
Dubai, Mumbai, Bangalore, Hyderabad, Singapore, Jakarta, Sydney, and Melbourne
Headquarters:
The Cyber Express LLC
10080 North Wolfe Road, Suite SW3-200, Cupertino, CA, US 95014
India Office:
Cyber Express Media Network
HD-021, 4th Floor, C Wing, Building No.4. Nesco IT Park, WE Highway, Goregaon East, Mumbai, Maharashtra, India – 4000063
© 2026 The Cyber Express – Cybersecurity News and Magazine.
Login to your account below
Please enter your username or email address to reset your password.
© 2026 The Cyber Express – Cybersecurity News and Magazine.
