All In One SEO Plugin Vulnerability Exposes AI Tokens on Over 3 Million WordPress Sites

If your WordPress site uses the All In One SEO plugin, check which version you're running right now. A security flaw in versions up to and including 4.9.2 allowed any logged-in contributor to grab your site's global AI access token, potentially letting them burn through your AI credits or generate content on your account. The fix is in version 4.9.3, and updating is the only thing you need to do.

Key takeaways

• The All In One SEO (AIOSEO) plugin, installed on over 3+ million WordPress sites, had a missing permission check on a REST API endpoint.
• Any user with Contributor-level access or above could retrieve the site's global AI access token from the /aioseo/v1/ai/credits endpoint.
• An attacker with the token could generate AI content or exhaust your AI usage credits through your account.
• The flaw is fixed in version 4.9.3. Update immediately if you haven't already.
• This is one of six AIOSEO vulnerabilities disclosed in 2025 alone, compared with zero for Yoast SEO, four for RankMath, and three for Squirrly SEO in the same period.

What is All In One SEO and why does this matter?

All In One SEO is one of the most widely used WordPress SEO plugins, active on more than 3 million websites. It handles things like metadata, XML sitemaps, structured data, and AI-powered tools that help you write titles, descriptions, blog posts, FAQs, social media posts, and generate images.

Those AI features work through a site-wide AI access token. Think of it as a master key: any request to AIOSEO's external AI services goes through it. Whoever holds that token can use your site's AI features and consume your credits.

What went wrong: the missing permission check

The plugin exposes a REST API endpoint at /aioseo/v1/ai/credits. That endpoint is designed to show a site's AI usage and remaining credits. The problem was straightforward: it never checked whether the person asking for that information was actually allowed to see it.

In WordPress, REST API routes are supposed to include capability checks so that only the right people can access sensitive data. This one had no such check. The plugin treated a Contributor the same as an Administrator when handing out the AI token.

As Wordfence put it: "This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token."

Contributors sit near the bottom of WordPress's permission hierarchy. Many sites give contributor access to freelancers, guest authors, or junior team members so they can submit drafts for review. On a vulnerable site, every one of those people could have walked off with the site's AI token.

What could someone do with the token?

This isn't a vulnerability that lets an attacker take over your server, but leaking a site-wide API token still creates real problems.

Unauthorised AI usage. The token authorises AI requests. Someone with it could generate content through your account, using up whatever credits or usage allowance is attached to it.

Service depletion. An attacker could automate requests using the token to drain your AI quota entirely, effectively locking you out of the AI features you're paying for.

There's also a billing angle. If your AIOSEO AI plan charges by usage, someone burning through your credits costs you real money.

Part of a bigger pattern

This isn't a one-off slip. According to Wordfence, AIOSEO has had six vulnerabilities disclosed in 2025 alone. The issues have included SQL injection, information disclosure, arbitrary media deletion, missing authorisation checks, sensitive data exposure, and stored cross-site scripting. The common thread running through most of them is the same: improper permission enforcement for low-privilege users.

To put that in context, Yoast SEO had zero vulnerabilities in 2025, RankMath had four, and Squirrly SEO had three. Six in a single year is a high count for an SEO plugin.

If you're relying on AIOSEO, that track record is worth keeping in mind. Staying on top of updates isn't optional when a plugin has this kind of history. If managing plugin updates and monitoring for new vulnerabilities isn't something you want to do yourself, our website maintenance service covers exactly that.

How it was fixed

The vulnerability affects all versions of All In One SEO up to and including 4.9.2. Version 4.9.3 resolves it. The official plugin changelog describes the change as: "Hardened API routes to prevent AI access token from being exposed." That maps directly to the missing permission check Wordfence identified.

What you should do right now

1. Log in to your WordPress dashboard.
2. Go to Plugins > Installed Plugins.
3. Find All In One SEO and check the version number.
4. If you're on 4.9.2 or earlier, click Update Now to install 4.9.3 or newer.

Sites with multiple external contributors are at greatest risk, since those are the accounts that could have accessed the token on vulnerable versions. If you've been running an older version with contributors active, it's worth reviewing who has access and whether anyone may have used the endpoint.

If you'd rather have someone manage your WordPress plugins, updates, and security monitoring for you, take a look at our WordPress development and support services. Keeping plugins patched and permissions properly configured is a big part of what we do.