WordPress · All In One Seo · CVE-2026-5075
**Name of the Vulnerable Software and Affected Versions**
All in One SEO versions prior to 4.9.8
**Description**
The All in One SEO plugin for WordPress allows sensitive internal option data to be passed to the `wp localize script()` function in post editor contexts without effective masking for low-privilege users. This leads to sensitive information exposure via the 'internalOptions' localized script data. Authenticated attackers with contributor-level access or higher can view configured API/OAuth tokens and license-related values by inspecting the page source.
**Recommendations**
Update to a version newer than 4.9.7.