Sensitive Information Exposure in All in One SEO Plugin for WordPress
CVE-2026-5075

4.3MEDIUM

Key Information:

Vendor: WordPress
Status: All In One Seo – Powerful Seo Plugin To Boost Seo Rankings & Increase Traffic
Vendor: CVE Published:; 20 May 2026

What is CVE-2026-5075?

The All in One SEO plugin for WordPress is susceptible to sensitive information exposure caused by the mishandling of internal option data through the 'internalOptions' localized script. Versions up to and including 4.9.7 allow authenticated users with contributor-level access or higher to access sensitive data such as API and OAuth tokens, as well as license details, through the post editor. This vulnerability arises from inadequate masking of critical information during the localization process, making it critical for users to update their plugins to prevent unauthorized data access.

Affected Version(s)

All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic 0 <= 4.9.7

References

https://www.wordfence.com/threat-intel/vulnerabilities/id...

https://plugins.trac.wordpress.org/changeset/3532318/all-...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 20, 2026
Vulnerability Reserved
Mar 28, 2026

Credit

Riadh Bouchahoua

CVE-2026-5075 Data

JSON