PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-5075 smub CVE debrief

The All in One SEO plugin for WordPress, versions up to and including 4.9.7, exposes sensitive internal option data through localized script variables in post editor contexts. The vulnerability stems from passing unmasked API/OAuth tokens and license-related values via `wp_localize_script()` to the browser, where contributor-level users and above can view them in page source. This represents an information disclosure weakness (CWE-200) rather than a direct authentication bypass or remote code execution flaw. The issue was disclosed on 2026-05-20 with a CVSS 3.1 score of 4.3 (Medium), reflecting the authenticated nature of the attack and limited confidentiality impact. A changeset addressing the issue has been committed to the plugin repository.

Vendor
smub
Product
All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-20
Original CVE updated
2026-05-20
Advisory published
2026-05-20
Advisory updated
2026-05-20

Who should care

WordPress site administrators using All in One SEO plugin; security teams managing content management system plugins; compliance officers concerned with API credential exposure; developers reviewing plugin security postures.

Technical summary

The plugin's use of `wp_localize_script()` to pass internalOptions data to the post editor fails to mask sensitive fields for users with contributor capabilities. This allows extraction of configured API/OAuth tokens and license values from rendered HTML/JS. The attack requires authenticated access with contributor privileges or higher, and exploitation leaves no server-side logs of credential access since data is exposed client-side.

Defensive priority

medium

Recommended defensive actions

  • Upgrade All in One SEO plugin to version 4.9.8 or later
  • Review user roles and remove unnecessary contributor access
  • Audit browser-accessible script data for sensitive values
  • Verify no API tokens have been exposed in cached page sources or version control
  • Consider rotating any OAuth or API credentials that may have been visible

Evidence notes

Official vulnerability database records indicate this issue was reported through Wordfence and affects plugin versions through 4.9.7. The CVSS vector (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) confirms network-accessible, low-complexity exploitation requiring low privileges with no user interaction. The vulnerability status is currently marked as Deferred in NVD.

Official resources

2026-05-20