CVE-2026-5075 MEDIUM

CVE-2026-5075: All in One SEO <= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via 'internalOptions' Localized Script Data

Vendor Smub
Product All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic
Weakness CWE-200 · Info exposure
Published May 20, 2026
Last update May 20, 2026
View on NVD All CVEs

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for low-privilege users. This makes it possible for authenticated attackers, with contributor-level access and above, to view configured API/OAuth tokens and license-related values from page source.

Explanation of Vulnerability in Simple Terms

02Summary

All in One SEO versions up to 4.9.7 expose sensitive information to authenticated users without proper access controls. A logged-in user with low privileges can read data they should not have access to. The vulnerability requires an active WordPress account but no special interaction. Update to a version newer than 4.9.7.

What an attacker can do

03Attacker Capabilities

Read sensitive information they should not have access to as a low-privilege user.

Potential impact on your site

04Site Impact

Authenticated users can access confidential data, risking exposure of site configuration or other users' information.

Conditions required to exploit

05Prerequisites

Attacker must have a valid WordPress user account with low privileges.

Key dates

06Disclosure timeline

May 20, 2026 CVE published
May 20, 2026 Record updated