CVE-2025-14384
📋 TL;DR
The All in One SEO WordPress plugin has a missing capability check on its REST API endpoint, allowing authenticated users with Contributor-level access or higher to retrieve the global AI access token. This vulnerability affects all versions up to and including 4.9.2, potentially exposing sensitive plugin configuration data.
💻 Affected Systems
- All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers could use the exposed AI access token to make unauthorized API calls to AI services, potentially incurring costs or accessing AI features reserved for administrators.
Likely Case
Unauthorized disclosure of the AI access token, which could be used to monitor or interfere with the plugin's AI-powered features.
If Mitigated
Limited impact if proper access controls and monitoring are in place to detect unusual API usage patterns.
🎯 Exploit Status
Exploitation requires authenticated access with at least Contributor privileges. Simple HTTP request to the vulnerable endpoint.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 4.9.3 or later
Vendor Advisory: https://plugins.trac.wordpress.org/changeset/3435276/all-in-one-seo-pack
Restart Required: No
Instructions:
1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find All in One SEO plugin. 4. Click 'Update Now' if available, or manually update to version 4.9.3+. 5. Verify update completes successfully.
🔧 Temporary Workarounds
Restrict Contributor Access
allTemporarily limit or remove Contributor-level user accounts until patching is complete.
Disable Plugin
linuxTemporarily deactivate the All in One SEO plugin if immediate patching isn't possible.
wp plugin deactivate all-in-one-seo-pack
🧯 If You Can't Patch
- Implement strict access controls and monitor for unusual API token usage
- Consider using web application firewall rules to block requests to the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check WordPress admin panel → Plugins → All in One SEO → Version number. If version is 4.9.2 or lower, you are vulnerable.Check Version:
wp plugin get all-in-one-seo-pack --field=versionVerify Fix Applied:
Verify plugin version is 4.9.3 or higher in WordPress admin panel. Test that Contributor users cannot access /aioseo/v1/ai/credits endpoint.📡 Detection & Monitoring
Log Indicators:
- HTTP 200 responses to /wp-json/aioseo/v1/ai/credits from non-admin users
- Unusual AI API usage patterns
Network Indicators:
- GET requests to /wp-json/aioseo/v1/ai/credits from authenticated non-admin users
SIEM Query:
source="wordpress" AND uri_path="/wp-json/aioseo/v1/ai/credits" AND user_role!="administrator"