[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fCPvS_-B-Hb4S9NQYqRr5JlJCpZBoM2TTwNaYcozKmb0":3},{"id":4,"url_slug":5,"title":6,"description":7,"plugin_slug":8,"theme_slug":9,"affected_versions":10,"patched_in_version":11,"severity":12,"cvss_score":13,"cvss_vector":14,"vuln_type":15,"published_date":16,"updated_date":17,"references":18,"days_to_patch":20,"patch_diff_files":21,"patch_trac_url":9,"research_status":29,"research_verified":30,"research_rounds_completed":31,"research_plan":32,"research_summary":9,"research_vulnerable_code":9,"research_fix_diff":9,"research_exploit_outline":9,"research_model_used":33,"research_started_at":34,"research_completed_at":35,"research_error":9,"poc_status":9,"poc_video_id":9,"poc_summary":9,"poc_steps":9,"poc_tested_at":9,"poc_wp_version":9,"poc_php_version":9,"poc_playwright_script":9,"poc_exploit_code":9,"poc_has_trace":30,"poc_model_used":9,"poc_verification_depth":9,"poc_exploit_code_gated":30,"source_links":36},"CVE-2026-5075","all-in-one-seo-authenticated-contributor-sensitive-information-exposure-via-internaloptions-localized-script-data","All in One SEO \u003C= 4.9.7 - Authenticated (Contributor+) Sensitive Information Exposure via 'internalOptions' Localized Script Data","The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for low-privilege users. This makes it possible for authenticated attackers, with contributor-level access and above, to view configured API\u002FOAuth tokens and license-related values from page source.","all-in-one-seo-pack",null,"\u003C=4.9.7","4.9.7.1","medium",4.3,"CVSS:3.1\u002FAV:N\u002FAC:L\u002FPR:L\u002FUI:N\u002FS:U\u002FC:L\u002FI:N\u002FA:N","Exposure of Sensitive Information to an Unauthorized Actor","2026-05-19 14:51:29","2026-05-20 03:28:14",[19],"https:\u002F\u002Fwww.wordfence.com\u002Fthreat-intel\u002Fvulnerabilities\u002Fid\u002F0d8bc203-c17a-4b31-8f9e-695f9e638cda?source=api-prod",1,[22,23,24,25,26,27,28],"all_in_one_seo_pack.php","app\u002FAIOSEO.php","app\u002FCommon\u002FAdmin\u002FNotices\u002FWpNotices.php","app\u002FCommon\u002FAi\u002FAi.php","app\u002FCommon\u002FAi\u002FImage.php","app\u002FCommon\u002FApi\u002FAi.php","app\u002FCommon\u002FCore\u002FCore.php","researched",false,3,"# Vulnerability Research Plan: CVE-2026-5075 (All in One SEO)\n\n## 1. Vulnerability Summary\nThe **All in One SEO (AIOSEO)** plugin (versions \u003C= 4.9.7) contains a sensitive information exposure vulnerability. The plugin localizes a large set of configuration data into a JavaScript object (typically named `aioseo`) to support its Vue-based administrative interface. In post editor contexts, the `internalOptions` data is passed to `wp_localize_script()` without adequate filtering or masking. \n\nThis allows users with the **Contributor** role (who can access the post editor but should not have access to global plugin settings) to view sensitive data such as AI access tokens, license information, and internal API keys by inspecting the page source or the browser's global JavaScript state.\n\n## 2. Attack Vector Analysis\n- **Endpoint:** Post Editor (`\u002Fwp-admin\u002Fpost-new.php` or `\u002Fwp-admin\u002Fpost.php?post={ID}&action=edit`).\n- **Required Privilege:** Authenticated user with at least **Contributor** level access (permissions to `edit_posts`).\n- **Precondition:** The plugin must be active. Sensitive values (like an AI access token or license key) must be set in the database for the exposure to be meaningful.\n- **Vulnerable Data Sink:** `wp_localize_script()` outputting the `internalOptions` object into the HTML of the post editor.\n\n## 3. Code Flow\n1. **Script Registration:** When a user enters the post editor, WordPress fires the `enqueue_block_editor_assets` (for Gutenberg) or `admin_enqueue_scripts` hook.\n2. **AIOSEO Asset Loading:** The plugin's asset manager (likely `AIOSEO\\Plugin\\Common\\Utils\\Assets`, invoked via `aioseo()->core->assets->load()`) prepares scripts for the editor.\n3. **Data Localization:** Before enqueuing, the plugin calls `wp_localize_script()`. It gathers data from various option managers:\n   - `aioseo()->internalOptions` (Instance of `AIOSEO\\Plugin\\Lite\\Options\\InternalOptions`).\n   - `aioseo()->internalNetworkOptions`.\n4. **Information Leakage:** The `internalOptions` object, which contains sensitive internal state and potentially mirrored sensitive credentials (like `aiAccessToken` or license details), is dumped entirely into a JSON object assigned to a global JS variable (verbatim `aioseo`).\n5. **Unauthorized Access:** A Contributor-level user views the editor. The server sends the localized data. The user executes `window.aioseo.internalOptions` in the console or views the HTML source to see the secrets.\n\n## 4. Nonce Acquisition Strategy\nThis is an **Information Exposure** vulnerability. No nonce is required to trigger the exposure because the data is automatically localized and sent by the server upon a standard GET request to the post editor page. The attacker only needs a valid session cookie for a Contributor-level user.\n\n## 5. Exploitation Strategy\nThe goal is to demonstrate that a Contributor can access data they shouldn't see.\n\n### Step-by-Step Plan:\n1. **Authentication:** Log in to the WordPress site as a user with the **Contributor** role.\n2. **Navigation:** Navigate to the \"New Post\" page (`\u002Fwp-admin\u002Fpost-new.php`). This page triggers the loading of the AIOSEO sidebar and its associated localized scripts.\n3. **Data Extraction:** Use the `browser_eval` tool to extract the contents of the `aioseo.internalOptions` object.\n4. **Payload Analysis:** Search the extracted JSON for sensitive keys. Based on `app\u002FCommon\u002FAi\u002FAi.php`, interesting keys include:\n   - `internal.ai.isTrialAccessToken`\n   - `internal.ai.isManuallyConnected`\n   - Tokens stored within the internal options structure.\n   - License keys (often in `internal.license`).\n\n### HTTP Request (via `http_request` \u002F Playwright):\n```http\nGET \u002Fwp-admin\u002Fpost-new.php HTTP\u002F1.1\nHost: localhost\nCookie: [Contributor Session Cookies]\n```\n\n### Extraction Script:\n```javascript\n\u002F\u002F Run via browser_eval\nJSON.stringify(window.aioseo?.internalOptions || \"Not Found\");\n```\n\n## 6. Test Data Setup\nTo confirm exposure, we must first populate the internal options with \"secret\" data via WP-CLI:\n\n1. **Set a fake AI Access Token:**\n   ```bash\n   wp eval \"aioseo()->sensitiveOptions->set('aiAccessToken', 'POC_SECRET_TOKEN_999');\"\n   ```\n2. **Ensure internal options reflect a connected state:**\n   ```bash\n   wp eval \"aioseo()->internalOptions->internal->ai->isManuallyConnected = true;\"\n   ```\n3. **Create a Contributor user:**\n   ```bash\n   wp user create attacker attacker@example.com --role=contributor --user_pass=password123\n   ```\n\n## 7. Expected Results\nA successful exploit will return a JSON object containing the `internalOptions` structure.\n- **Success Criteria:** The output of `window.aioseo.internalOptions` contains values that are not masked (e.g., the `aiAccessToken` or specific internal configurations that should be restricted to Admins).\n- **Format:** A deeply nested JSON object.\n\n## 8. Verification Steps\n1. **Verify via CLI:** Confirm the value exists in the database.\n   ```bash\n   wp option get aioseo_options_internal\n   ```\n2. **Compare Access:** \n   - Check if the same data is visible to the Contributor in the UI (it shouldn't be, as they lack \"General Settings\" access).\n   - If `window.aioseo.internalOptions` in the post editor contains the same \"secret\" strings found in the database, the exposure is confirmed.\n\n## 9. Alternative Approaches\nIf `internalOptions` does not contain the specific token, check the broader `aioseo` object:\n1. `browser_eval(\"window.aioseo\")` - This will dump the entire localized state.\n2. Search for other sensitive keys: `license`, `apiKey`, `secret`, `accessToken`.\n3. Check if the exposure occurs on the \"All Posts\" list (`\u002Fwp-admin\u002Fedit.php`) as well, as AIOSEO often enqueues scripts there for quick-edit features.","gemini-3-flash-preview","2026-05-20 16:38:57","2026-05-20 16:39:33",{"type":37,"vulnerable_version":38,"fixed_version":11,"vulnerable_browse":39,"vulnerable_zip":40,"fixed_browse":41,"fixed_zip":42,"all_tags":43},"plugin","4.9.6.2","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-seo-pack\u002Ftags\u002F4.9.6.2","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fall-in-one-seo-pack.4.9.6.2.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-seo-pack\u002Ftags\u002F4.9.7.1","https:\u002F\u002Fdownloads.wordpress.org\u002Fplugin\u002Fall-in-one-seo-pack.4.9.7.1.zip","https:\u002F\u002Fplugins.trac.wordpress.org\u002Fbrowser\u002Fall-in-one-seo-pack\u002Ftags"]