CVE-2026-5075

Name of the Vulnerable Software and Affected Versions All in One SEO versions prior to 4.9.8

Description The All in One SEO plugin for WordPress allows sensitive internal option data to be passed to the wp localize script() function in post editor contexts without effective masking for low-privilege users. This leads to sensitive information exposure via the 'internalOptions' localized script data. Authenticated attackers with contributor-level access or higher can view configured API/OAuth tokens and license-related values by inspecting the page source.

Recommendations Update to a version newer than 4.9.7.