CVE-2025-67950 – This SQL injection vulnerability in the All In ... (How to Fix)

Q: What is the severity of CVE-2025-67950?

CVE-2025-67950 has a CVSS score of 8.5 (HIGH). This SQL injection vulnerability in the All In One SEO Pack WordPress plugin allows attackers to execute arbitrary SQL commands on the database. It affects all WordPress sites running the plugin version 4.9.1 or earlier. Successful exploitation could lead to data theft, modification, or deletion.

📋 TL;DR

This SQL injection vulnerability in the All In One SEO Pack WordPress plugin allows attackers to execute arbitrary SQL commands on the database. It affects all WordPress sites running the plugin version 4.9.1 or earlier. Successful exploitation could lead to data theft, modification, or deletion.

💻 Affected Systems

Products:

All In One SEO Pack WordPress Plugin

Versions: All versions through 4.9.1

Operating Systems: Any OS running WordPress

Default Config Vulnerable: ⚠️ Yes

Notes: Affects all WordPress installations using the vulnerable plugin versions regardless of configuration.

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including sensitive data exfiltration (user credentials, personal information), data destruction, and potential privilege escalation to full site control.

🟠

Likely Case

Data extraction from the WordPress database including user information, plugin settings, and potentially sensitive content, leading to privacy violations and potential credential harvesting.

🟢

If Mitigated

Limited impact with proper input validation and database permissions, potentially only allowing data reading from non-sensitive tables.

🌐 Internet-Facing: HIGH - WordPress sites are typically internet-facing, and this plugin is widely used, making many sites potentially vulnerable to remote attacks.

🏢 Internal Only: LOW - WordPress sites are rarely deployed exclusively internally, and the plugin's functionality is primarily for public-facing websites.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

SQL injection vulnerabilities in WordPress plugins are frequently weaponized quickly due to the large attack surface and automated exploitation tools.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 4.9.2 or later

Vendor Advisory: https://patchstack.com/database/Wordpress/Plugin/all-in-one-seo-pack/vulnerability/wordpress-all-in-one-seo-pack-plugin-4-9-1-sql-injection-vulnerability?_s_id=cve

Restart Required: No

Instructions:

1. Log into WordPress admin panel. 2. Navigate to Plugins → Installed Plugins. 3. Find All In One SEO Pack. 4. Click 'Update Now' if available. 5. Alternatively, download version 4.9.2+ from WordPress repository and manually update.

🔧 Temporary Workarounds

Temporary Plugin Deactivation

all

Disable the vulnerable plugin until patched

wp plugin deactivate all-in-one-seo-pack

Web Application Firewall Rules

all

Implement WAF rules to block SQL injection patterns targeting the plugin

🧯 If You Can't Patch

Implement strict input validation and parameterized queries at application level
Restrict database user permissions to minimum required for plugin functionality

🔍 How to Verify

Check if Vulnerable:

Check WordPress admin panel → Plugins → All In One SEO Pack version. If version is 4.9.1 or lower, you are vulnerable.

Check Version:

wp plugin get all-in-one-seo-pack --field=version

Verify Fix Applied:

Verify plugin version is 4.9.2 or higher in WordPress admin panel.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL queries in database logs
Multiple failed login attempts or unusual admin activity in WordPress logs
HTTP requests with SQL injection patterns in web server logs

Network Indicators:

Unusual database connection patterns from web server
Outbound data exfiltration to suspicious IPs

SIEM Query:

source="wordpress.log" AND "all-in-one-seo-pack" AND ("sql" OR "union" OR "select" OR "from")

📊 Metadata

CVE ID: CVE-2025-67950

CVSS v3 Score: 8.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H

CWE: CWE-89

EPSS Score: 0.04% exploit probability (11.6th percentile)

Published: December 16, 2025

Last Updated: January 20, 2026

🔗 References

https://patchstack.com/database/Wordpress/Plugin/all-in-one-seo-pack/vulnerability/wordpress-all-in-one-seo-pack-plugin-4-9-1-sql-injection-vulnerability?_s_id=cve

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-67950, you might also want to check these: