All In One SEO Vulnerability Exposes AI Token On WordPress

All In One SEO Vulnerability Exposes AI Token On WordPress

Briefly

"A newly disclosed security vulnerability in the All In One SEO ecosystem has drawn attention across the WordPress community due to its potential reach and impact. The flaw affects the widely used AIOSEO plugin, which is active on more than 3 million WordPress websites. It allows low-privileged users to access a site-wide AI access token tied to the plugin's artificial intelligence features."

"According to Wordfence, the issue allowed users with Contributor-level access or higher to retrieve sensitive AI-related data. This endpoint is intended to return information about a site's AI usage and remaining credits. However, it failed to verify whether the user making the request was authorized to view that information. As a result, the plugin exposed the site's global AI access token to low-privilege users."

"It helps site owners manage essential optimization tasks such as generating metadata, creating XML sitemaps, adding structured data, and improving on-page SEO performance. In recent versions, All In One SEO also introduced AI-powered tools designed to help users write SEO titles, meta descriptions, blog posts, FAQs, social media content, and generate images. These AI features rely on a global AI access token that allows the plugin to communicate with external AIOSEO AI services on behalf of the site."