{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-14384", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "state": "PUBLISHED", "assignerShortName": "Wordfence", "dateReserved": "2025-12-09T19:40:21.846Z", "datePublished": "2026-01-16T04:44:36.103Z", "dateUpdated": "2026-04-08T17:33:09.679Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:09.679Z"}, "affected": [{"vendor": "smub", "product": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic", "versions": [{"version": "0", "status": "affected", "lessThanOrEqual": "4.9.2", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token."}], "title": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) AI Access Token and Credit Disclosure", "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f47d53e1-42ac-425e-a6f2-901a6d26845d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3435276/all-in-one-seo-pack"}], "problemTypes": [{"descriptions": [{"lang": "en", "description": "CWE-862 Missing Authorization", "cweId": "CWE-862", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "baseScore": 4.3, "baseSeverity": "MEDIUM"}}], "credits": [{"lang": "en", "type": "finder", "value": "NosleeP"}], "timeline": [{"time": "2025-12-09T19:56:13.000Z", "lang": "en", "value": "Vendor Notified"}, {"time": "2026-01-15T16:24:16.000Z", "lang": "en", "value": "Disclosed"}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-01-16T14:10:14.263468Z", "id": "CVE-2025-14384", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T14:10:21.442Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-14384", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-01-16T14:10:14.263468Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-01-16T14:10:17.699Z"}}], "cna": {"title": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic <= 4.9.2 - Missing Authorization to Authenticated (Contributor+) AI Access Token and Credit Disclosure", "credits": [{"lang": "en", "type": "finder", "value": "NosleeP"}], "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 4.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"}}], "affected": [{"vendor": "smub", "product": "All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic", "versions": [{"status": "affected", "version": "0", "versionType": "semver", "lessThanOrEqual": "4.9.2"}], "defaultStatus": "unaffected"}], "timeline": [{"lang": "en", "time": "2025-12-09T19:56:13.000Z", "value": "Vendor Notified"}, {"lang": "en", "time": "2026-01-15T16:24:16.000Z", "value": "Disclosed"}], "references": [{"url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f47d53e1-42ac-425e-a6f2-901a6d26845d?source=cve"}, {"url": "https://plugins.trac.wordpress.org/changeset/3435276/all-in-one-seo-pack"}], "descriptions": [{"lang": "en", "value": "The All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization"}]}], "providerMetadata": {"orgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "shortName": "Wordfence", "dateUpdated": "2026-04-08T17:33:09.679Z"}}}, "cveMetadata": {"cveId": "CVE-2025-14384", "state": "PUBLISHED", "dateUpdated": "2026-04-08T17:33:09.679Z", "dateReserved": "2025-12-09T19:40:21.846Z", "assignerOrgId": "b15e7b5b-3da4-40ae-a43c-f7aa60e62599", "datePublished": "2026-01-16T04:44:36.103Z", "assignerShortName": "Wordfence"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "The All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token."}, {"lang": "es", "value": "El plugin All in One SEO \u2013 Powerful SEO Plugin a Boost SEO Rankings &amp; Increase Traffic para WordPress es vulnerable a acceso no autorizado a datos debido a una falta de verificaci\u00f3n de capacidad en la ruta REST `/aioseo/v1/ai/credits` en todas las versiones hasta la 4.9.2 (inclusive). Esto permite a atacantes autenticados, con acceso de nivel Colaborador y superior, divulgar el token de acceso global de IA."}], "id": "CVE-2025-14384", "lastModified": "2026-04-15T00:35:42.020", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security@wordfence.com", "type": "Secondary"}]}, "published": "2026-01-16T05:16:11.623", "references": [{"source": "security@wordfence.com", "url": "https://plugins.trac.wordpress.org/changeset/3435276/all-in-one-seo-pack"}, {"source": "security@wordfence.com", "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/f47d53e1-42ac-425e-a6f2-901a6d26845d?source=cve"}], "sourceIdentifier": "security@wordfence.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security@wordfence.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-20T21:03:19.049534+00:00", "value": {"mitigation_remediation": ["Update the All in One SEO plugin to the latest version that includes a capability check for the AI credits endpoint.", "If an update is not immediately possible, restrict Contributor and higher roles from accessing the \"/aioseo/v1/ai/credits\" route by removing the relevant capability or disabling the endpoint through configuration.", "Review any exposed AI access tokens that may have been retrieved and revoke or rotate them to prevent misuse."], "summary": {"action": "Apply Patch", "impact": "Sensitive Data Disclosure"}, "threat_synthesis": {"affected_systems": "This vulnerability affects the All in One SEO \u2013 Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic by smub, versions up to and including 4.9.2. No other versions or products are listed as affected.", "description_and_impact": "The All in One SEO plugin for WordPress is vulnerable due to a missing capability check on the \"/aioseo/v1/ai/credits\" REST endpoint. Authenticated users with Contributor-level access or higher can send requests to this route and retrieve the global AI access token. This flaw is an instance of CWE\u2011862 Unauthorized Access. Exposing the token can allow attackers to misuse the AI service or gain additional privileged actions within the WordPress site.", "risk_and_exploitability": "The CVSS score of 4.3 indicates moderate severity, while the EPSS score of less than 1% suggests a low probability of exploitation at this time. The vulnerability is not currently in CISA KEV. An attacker must be authenticated and hold at least Contributor permissions to exploit the flaw, which reduces the attack surface but still permits sensitive information disclosure if the token is captured."}}}}, "created": "2026-01-16T13:41:55.633140+00:00", "updated": "2026-04-20T21:15:20.623471+00:00", "vendors": ["smub", "smub$PRODUCT$all_in_one_seo", "wordpress", "wordpress$PRODUCT$wordpress"]}