CVE-2026-5075 Overview
CVE-2026-5075 is a sensitive information exposure vulnerability in the All in One SEO plugin for WordPress, affecting all versions up to and including 4.9.7. The flaw resides in how the plugin passes internalOptions data to wp_localize_script() within post editor contexts. Sensitive internal option data is rendered into page source without effective masking for low-privilege users. Authenticated attackers with contributor-level access or higher can extract configured API tokens, OAuth tokens, and license-related values directly from the rendered page source. The issue is tracked as [CWE-200] (Exposure of Sensitive Information to an Unauthorized Actor).
Critical Impact
Contributor-level accounts on affected WordPress sites can read API credentials, OAuth tokens, and license values that may enable lateral access to third-party integrated services.
Affected Products
- All in One SEO plugin for WordPress, versions up to and including 4.9.7
- WordPress sites running the vulnerable plugin with contributor-or-higher user accounts
- Any third-party services whose tokens are stored within the plugin's internal options
Discovery Timeline
- 2026-05-20 - CVE-2026-5075 published to NVD
- 2026-05-20 - Last updated in NVD database
Technical Details for CVE-2026-5075
Vulnerability Analysis
The All in One SEO plugin loads configuration data into the WordPress post editor by passing an internalOptions object to wp_localize_script(). This function serializes server-side data into a JavaScript variable embedded in the rendered HTML. The plugin fails to apply effective masking or role-based filtering before exposing this data structure. As a result, the localized object includes sensitive material such as API keys, OAuth tokens, and license identifiers used by integrated services.
Any authenticated user permitted to access the post editor receives the same serialized data. Contributor accounts on WordPress have legitimate access to the editor for draft submissions. This grants them visibility into credentials they should not be able to read.
Root Cause
The root cause is missing access control on data passed to client-side script localization. The plugin treats internalOptions as administrator-scoped data while exposing it to every editor user. There is no capability check or value-redaction step between option retrieval and script localization. [CWE-200] applies because sensitive data is disclosed to an actor whose role does not require it.
Attack Vector
An attacker first obtains contributor-level credentials through registration, social engineering, or account compromise. The attacker then visits any post editor screen where the All in One SEO scripts are enqueued. The browser receives an HTML document containing the localized internalOptions variable. The attacker views the page source or uses developer tools to extract tokens, API keys, and license values. Recovered credentials can then be used against the corresponding third-party APIs outside the WordPress environment.
No verified public exploit code is available. The vulnerability mechanism is documented in the WordPress Plugin Changeset and the Wordfence Vulnerability Report.
Detection Methods for CVE-2026-5075
Indicators of Compromise
- Unexpected requests from contributor or author accounts to /wp-admin/post.php or /wp-admin/post-new.php followed by outbound use of integrated service tokens.
- Audit log entries showing low-privilege users repeatedly loading editor screens without saving content.
- Unusual API activity on services connected to All in One SEO using stored OAuth or API tokens.
Detection Strategies
- Inspect rendered editor HTML on affected sites for internalOptions JavaScript variables containing token-like strings.
- Correlate WordPress user role assignments with access patterns to editor pages from new or rarely used accounts.
- Review third-party service logs for token use originating from IP addresses not associated with the WordPress server.
Monitoring Recommendations
- Enable WordPress audit logging for user role changes, contributor registrations, and editor screen access.
- Rotate and monitor API and OAuth tokens stored by SEO and marketing plugins for anomalous usage.
- Alert on outbound API calls from contributor sessions or from hosts outside the WordPress production environment.
How to Mitigate CVE-2026-5075
Immediate Actions Required
- Update the All in One SEO plugin to a version later than 4.9.7 that includes the fix from changeset 3532318.
- Rotate all API keys, OAuth tokens, and license values configured within the plugin, assuming prior exposure.
- Audit existing user accounts and remove or downgrade contributor-and-above accounts that are not actively required.
Patch Information
The vendor addressed the issue in the plugin update referenced by the WordPress Plugin Changeset 3532318. Site administrators should apply the latest plugin release through the WordPress plugin manager or via WP-CLI. Additional remediation context is available in the Wordfence Vulnerability Report.
Workarounds
- Restrict new account registration and require administrator approval for any role at or above contributor.
- Temporarily disable the All in One SEO plugin on sites that cannot be updated immediately.
- Remove sensitive third-party integrations from the plugin configuration until the patched version is deployed.
# Update All in One SEO via WP-CLI
wp plugin update all-in-one-seo-pack
# Verify installed version is greater than 4.9.7
wp plugin get all-in-one-seo-pack --field=version
# List users with contributor role or higher for review
wp user list --role=contributor --fields=ID,user_login,user_email,user_registered
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
