{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-67950", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "state": "PUBLISHED", "assignerShortName": "Patchstack", "dateReserved": "2025-12-15T10:00:16.552Z", "datePublished": "2025-12-16T08:12:57.565Z", "dateUpdated": "2026-04-28T16:14:24.486Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected", "packageName": "all-in-one-seo-pack", "product": "All In One SEO Pack", "vendor": "Syed Balkhi", "versions": [{"changes": [{"at": "4.9.1.1", "status": "unaffected"}], "lessThanOrEqual": "4.9.1", "status": "affected", "version": "0", "versionType": "custom"}]}], "credits": [{"lang": "en", "type": "finder", "value": "mcdruid | Patchstack Bug Bounty Program"}], "datePublic": "2026-04-22T14:23:51.534Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Blind SQL Injection.<p>This issue affects All In One SEO Pack: from n/a through <= 4.9.1.</p>"}], "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Blind SQL Injection.This issue affects All In One SEO Pack: from n/a through <= 4.9.1."}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-28T16:14:24.486Z"}, "references": [{"tags": ["vdb-entry"], "url": "https://patchstack.com/database/Wordpress/Plugin/all-in-one-seo-pack/vulnerability/wordpress-all-in-one-seo-pack-plugin-4-9-1-sql-injection-vulnerability?_s_id=cve"}], "title": "WordPress All In One SEO Pack plugin <= 4.9.1 - SQL Injection vulnerability"}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-16T20:08:49.279719Z", "id": "CVE-2025-67950", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-27T18:07:20.338Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-67950", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-12-16T20:08:49.279719Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-16T20:08:44.034Z"}}], "cna": {"title": "WordPress All In One SEO Pack plugin <= 4.9.1 - SQL Injection vulnerability", "credits": [{"lang": "en", "type": "finder", "value": "mcdruid | Patchstack Bug Bounty Program"}], "impacts": [{"capecId": "CAPEC-7", "descriptions": [{"lang": "en", "value": "Blind SQL Injection"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 8.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Syed Balkhi", "product": "All In One SEO Pack", "versions": [{"status": "affected", "changes": [{"at": "4.9.1.1", "status": "unaffected"}], "version": "0", "versionType": "custom", "lessThanOrEqual": "4.9.1"}], "packageName": "all-in-one-seo-pack", "collectionURL": "https://wordpress.org/plugins", "defaultStatus": "unaffected"}], "datePublic": "2026-04-22T14:23:51.534Z", "references": [{"url": "https://patchstack.com/database/Wordpress/Plugin/all-in-one-seo-pack/vulnerability/wordpress-all-in-one-seo-pack-plugin-4-9-1-sql-injection-vulnerability?_s_id=cve", "tags": ["vdb-entry"]}], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Blind SQL Injection.This issue affects All In One SEO Pack: from n/a through <= 4.9.1.", "supportingMedia": [{"type": "text/html", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Blind SQL Injection.<p>This issue affects All In One SEO Pack: from n/a through <= 4.9.1.</p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "21595511-bba5-4825-b968-b78d1f9984a3", "shortName": "Patchstack", "dateUpdated": "2026-04-23T14:13:54.962Z"}}}, "cveMetadata": {"cveId": "CVE-2025-67950", "state": "PUBLISHED", "dateUpdated": "2026-04-27T18:07:20.338Z", "dateReserved": "2025-12-15T10:00:16.552Z", "assignerOrgId": "21595511-bba5-4825-b968-b78d1f9984a3", "datePublished": "2025-12-16T08:12:57.565Z", "assignerShortName": "Patchstack"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Syed Balkhi All In One SEO Pack all-in-one-seo-pack allows Blind SQL Injection.This issue affects All In One SEO Pack: from n/a through <= 4.9.1."}], "id": "CVE-2025-67950", "lastModified": "2026-04-27T18:16:51.233", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.1, "impactScore": 4.7, "source": "audit@patchstack.com", "type": "Secondary"}]}, "published": "2025-12-16T09:15:59.580", "references": [{"source": "audit@patchstack.com", "url": "https://patchstack.com/database/Wordpress/Plugin/all-in-one-seo-pack/vulnerability/wordpress-all-in-one-seo-pack-plugin-4-9-1-sql-injection-vulnerability?_s_id=cve"}], "sourceIdentifier": "audit@patchstack.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "audit@patchstack.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-28T10:15:26.726960+00:00", "value": {"mitigation_remediation": ["Update the All In One SEO Pack plugin to version 4.9.2 or newer to apply the SQL injection fix.", "If an update cannot be applied immediately, disable the All In One SEO Pack plugin to eliminate the injection surface.", "Monitor the WordPress database and server logs for suspicious activity and irregular queries that may indicate attempted or successful exploitation."], "summary": {"action": "Patch Now", "impact": "Blind SQL Injection"}, "threat_synthesis": {"affected_systems": "WordPress sites running the All In One SEO Pack plugin version 4.9.1 or earlier are at risk. The affected package is identified as Syed Balkhi:All In One SEO Pack. Any instance of the plugin with a version number 4.9.1 or lower is considered vulnerable.", "description_and_impact": "An SQL injection flaw exists in the All In One SEO Pack plugin developed by Syed Balkhi. The vulnerability allows an attacker to embed malicious SQL commands that are executed by the WordPress database engine, enabling the attacker to read, modify, or delete data stored in the WordPress database. This can compromise the confidentiality, integrity, or availability of site content or configuration. The weakness is classified as CWE\u201189, Improper Neutralization of Special Elements used in an SQL Command.", "risk_and_exploitability": "The CVSS score is 8.5, indicating high severity. The EPSS score is less than 1%, suggesting that the likelihood of an active exploitation at scale is low but not negligible. The vulnerability is not listed in the CISA KEV catalog. The likely attack vector is web-based, exploiting the plugin\u2019s handling of user input through HTTP requests. Successful exploitation would provide an attacker with blind read or modify capabilities against the WordPress database, potentially leading to full compromise of the installation."}}}}, "created": "2025-12-16T17:09:29.292569+00:00", "updated": "2026-04-28T10:15:28.865493+00:00", "vendors": ["syed_balkhi", "syed_balkhi$PRODUCT$all_in_one_seo_pack", "wordpress", "wordpress$PRODUCT$wordpress"]}