CVE-2025-58650 MEDIUM

CVE-2025-58650: WordPress All In One SEO Pack Plugin <= 4.8.7.1 - Broken Access Control Vulnerability

Vendor Syed Balkhi

Product All In One SEO Pack

Weakness CWE-862 · Missing authorization

Published September 22, 2025

Last update May 12, 2026

View on NVD All CVEs

CVSS base score

5.4/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality None

Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L

What the vulnerability does

01Description

Missing Authorization vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects All In One SEO Pack: from n/a through <= 4.8.7.1.

Explanation of Vulnerability in Simple Terms

02Summary

All In One SEO Pack versions up to 4.8.7.1 lack proper authorization checks, allowing authenticated users with low privileges to modify site data. An attacker with a basic user account can alter SEO settings and other configuration without proper permission validation. Update to a version newer than 4.8.7.1 to resolve this issue.

What an attacker can do

03Attacker Capabilities

Modify SEO settings and site configuration without proper authorization.

Potential impact on your site

04Site Impact

Unauthorized users can alter SEO metadata, site settings, and potentially degrade search visibility or site functionality.

Conditions required to exploit

05Prerequisites

Attacker must have a low-privilege user account on the site (e.g., subscriber or contributor role).

Key dates

06Disclosure timeline

September 22, 2025 CVE published

May 12, 2026 Record updated

External resources

07References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-58650 CWE — Common Weakness Enumeration https://cwe.mitre.org/data/definitions/862.html

Related vulnerabilities

08Related CVE

CVE-2024-8658 myCred – Loyalty Points and Rewards plugin for WordPress and WooCommerce – Give Points, Ranks, Badges, Cashback, WooCommerce rewards, and WooCommerce credits for Gamification <= 2.7.3 - Missing Authorization to Unauthenticated Database Upgrade CVE-2026-6235 Sendmachine for WordPress <= 1.0.20 - Unauthenticated SMTP Hijack to Privilege Escalation via manage_admin_requests CVE-2024-1120 NextMove Lite – Thank You Page for WooCommerce & Finale Lite – Sales Countdown Timer & Discount for WooCommerce <= 2.17.0 - Missing Authorization to Unauthenticated System Information Disclosure CVE-2026-0548 Tutor LMS – eLearning and online course solution <= 3.9.4 - Missing Authorization to Authenticated (Subscriber+) Limited Attachment Deletion CVE-2024-24711 WordPress WooCommerce Conversion Tracking plugin <= 2.0.11 - Broken Access Control vulnerability