CVE-2025-14384 Overview
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress contains an authorization bypass vulnerability due to a missing capability check on the /aioseo/v1/ai/credits REST API endpoint. This vulnerability affects all versions up to and including 4.9.2, allowing authenticated attackers with Contributor-level access or above to access sensitive AI access token information without proper authorization.
Critical Impact
Authenticated attackers with low-privilege Contributor accounts can exploit this missing authorization check to disclose the global AI access token, potentially enabling unauthorized access to AI-powered features and associated services.
Affected Products
- All in One SEO WordPress Plugin versions up to and including 4.9.2
- WordPress installations using vulnerable versions of the AIOSEO plugin
Discovery Timeline
- 2026-01-16 - CVE-2025-14384 published to NVD
- 2026-01-16 - Last updated in NVD database
Technical Details for CVE-2025-14384
Vulnerability Analysis
This vulnerability is classified as CWE-862 (Missing Authorization), a broken access control flaw where the application fails to verify that a user is authorized to perform a specific action. In the context of WordPress plugins, REST API routes should implement capability checks to ensure that only users with appropriate permissions can access sensitive functionality.
The vulnerable endpoint /aioseo/v1/ai/credits exposes the global AI access token without verifying whether the requesting user has sufficient privileges to access this information. WordPress Contributor-level users, who typically should only have permissions to write and manage their own posts, can exploit this endpoint to retrieve sensitive configuration data.
Root Cause
The root cause of this vulnerability is the absence of a proper capability check (such as current_user_can()) on the REST API route handler for the AI credits endpoint. WordPress plugins must explicitly verify user permissions for each sensitive REST endpoint, and the All in One SEO plugin failed to implement this security control on the affected route.
Attack Vector
An attacker must first obtain authenticated access to the WordPress site with at least Contributor-level privileges. Once authenticated, the attacker can send a direct request to the vulnerable REST API endpoint to retrieve the AI access token.
The attack requires network access to the target WordPress installation and valid credentials for any user account with Contributor permissions or higher. The exploitation does not require user interaction and can be performed programmatically.
Detection Methods for CVE-2025-14384
Indicators of Compromise
- Unusual REST API requests to the /aioseo/v1/ai/credits endpoint from low-privilege user accounts
- Unexpected access patterns from Contributor or Author-level accounts querying AI-related endpoints
- Anomalous API activity in WordPress REST logs targeting AIOSEO plugin routes
- Evidence of AI token usage from unauthorized sources or unexpected IP addresses
Detection Strategies
- Monitor WordPress REST API access logs for requests to /wp-json/aioseo/v1/ai/credits from non-administrator accounts
- Implement Web Application Firewall (WAF) rules to alert on unusual patterns of REST API enumeration
- Review user activity logs for Contributor accounts accessing administrative plugin functionality
- Configure intrusion detection systems to flag API requests that match known exploitation patterns
Monitoring Recommendations
- Enable verbose logging for WordPress REST API endpoints, particularly plugin-specific routes
- Set up alerting for any access to sensitive AIOSEO configuration endpoints by non-admin users
- Regularly audit user accounts and their assigned roles to minimize privilege exposure
- Monitor for unauthorized AI service usage that could indicate token compromise
How to Mitigate CVE-2025-14384
Immediate Actions Required
- Update the All in One SEO plugin to the latest patched version immediately
- Audit WordPress user accounts and remove unnecessary Contributor-level access where possible
- Review access logs for any signs of exploitation prior to patching
- Consider rotating AI access tokens if compromise is suspected
Patch Information
A security patch addressing this vulnerability is available. The fix can be reviewed in the WordPress Plugin Update changeset. Site administrators should update to the latest version of All in One SEO through the WordPress admin dashboard or by downloading directly from the WordPress plugin repository.
For additional vulnerability details and remediation guidance, refer to the Wordfence Vulnerability Assessment.
Workarounds
- Restrict REST API access using a security plugin or web server configuration to limit exposure
- Implement additional authentication layers for sensitive API endpoints using a WAF
- Temporarily disable the AI features in All in One SEO until the patch can be applied
- Review and limit user role assignments to reduce the number of accounts with Contributor access or higher
# Example: Restrict REST API access to administrators only via .htaccess
# Add to WordPress root .htaccess file
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-json/aioseo/v1/ai/credits
RewriteCond %{HTTP_COOKIE} !wordpress_logged_in
RewriteRule .* - [F,L]
</IfModule>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
