Shared security patch analysis results
AI Used: claude_cli haiku--- cache/all-in-one-seo-pack_4.9.2/all_in_one_seo_pack.php 2026-01-16 00:19:53.271206484 +0000+++ cache/all-in-one-seo-pack_4.9.3/all_in_one_seo_pack.php 2026-01-16 00:20:16.068638536 +0000@@ -5,7 +5,7 @@ * Description: SEO for WordPress. Features like XML Sitemaps, SEO for custom post types, SEO for blogs, business sites, ecommerce sites, and much more. More than 100 million downloads since 2007. * Author: All in One SEO Team * Author URI: https://aioseo.com/- * Version: 4.9.2+ * Version: 4.9.3 * Text Domain: all-in-one-seo-pack * Domain Path: /languages * License: GPL-3.0+
I'll analyze this code diff for security vulnerabilities. --- **Analysis Complete** Vulnerability Existed: **no** **No Security Vulnerabilities Detected** Explanation: This diff only contains a version number change from 4.9.2 to 4.9.3 in the plugin header. There are no code modifications, logic changes, input handling modifications, or security-relevant alterations. Version bumps in plugin headers are metadata updates that do not introduce or fix vulnerabilities themselves. Without access to the actual security fixes made between these versions (which would be in other files not shown in this diff), this particular change cannot be assessed as fixing any vulnerability.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Admin/Admin.php 2026-01-16 00:19:53.271206484 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Admin/Admin.php 2026-01-16 00:20:16.068638536 +0000@@ -988,7 +988,7 @@ */ public function addFooterText() { $linkText = esc_html__( 'Give us a 5-star rating!', 'all-in-one-seo-pack' );- $href = 'https://wordpress.org/support/plugin/all-in-one-seo-pack/reviews/?filter=5#new-post';+ $href = 'https://aioseo.com/aioseo-wordpress-rating'; $link1 = sprintf( '<a href="%1$s" target="_blank" title="%2$s">★★★★★</a>',
I'll analyze this code diff for security vulnerabilities. ``` Vulnerability Existed: no [No CWE] - N/A - app/Common/Admin/Admin.php [991] [Old Code] $href = 'https://wordpress.org/support/plugin/all-in-one-seo-pack/reviews/?filter=5#new-post'; [Fixed Code] $href = 'https://aioseo.com/aioseo-wordpress-rating'; Explanation: This change is not a security fix but rather a URL redirect/modification. The old code pointed to the official WordPress.org plugin reviews page, while the new code points to an external domain (aioseo.com). From a security perspective: - No injection vulnerabilities are introduced or fixed - The URL is used with `esc_html()` function (visible in the sprintf context on line 993), which properly escapes the href attribute - The change itself does not introduce XSS, CSRF, or other vulnerabilities in the code - However, this represents a business logic change (redirecting users away from WordPress.org to an external site) rather than a security vulnerability fix This is a low-risk change from a code security standpoint, as the URL is properly escaped before output. ```
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Admin/Notices/Review.php 2026-01-16 00:19:53.271206484 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Admin/Notices/Review.php 2026-01-16 00:20:16.072638788 +0000@@ -126,7 +126,7 @@ <div class="step-3" style="display:none;"> <p><?php echo esc_html( $string7 ); ?></p> <p>- <a href="https://wordpress.org/support/plugin/all-in-one-seo-pack/reviews/?filter=5#new-post" class="aioseo-dismiss-review-notice" target="_blank" rel="noopener noreferrer">+ <a href="https://aioseo.com/aioseo-wordpress-rating" class="aioseo-dismiss-review-notice" target="_blank" rel="noopener noreferrer"> <?php echo esc_html( $string9 ); ?> </a> • <a href="#" class="aioseo-dismiss-review-notice-delay" target="_blank" rel="noopener noreferrer">@@ -165,7 +165,7 @@ <div class="step-3"> <p><?php echo $string1; // phpcs:ignore WordPress.Security.EscapeOutput.OutputNotEscaped ?></p> <p>- <a href="https://wordpress.org/support/plugin/all-in-one-seo-pack/reviews/?filter=5#new-post" class="aioseo-dismiss-review-notice" target="_blank" rel="noopener noreferrer">+ <a href="https://aioseo.com/aioseo-wordpress-rating" class="aioseo-dismiss-review-notice" target="_blank" rel="noopener noreferrer"> <?php echo esc_html( $string9 ); ?> </a> • <a href="#" class="aioseo-dismiss-review-notice-delay" target="_blank" rel="noopener noreferrer">
I'll analyze this code diff for security vulnerabilities. --- **Vulnerability 1:** Vulnerability Existed: no Open Redirect / URL Manipulation - CWE-601 - app/Common/Admin/Notices/Review.php (lines 129, 168) Old Code: ```php <a href="https://wordpress.org/support/plugin/all-in-one-seo-pack/reviews/?filter=5#new-post" class="aioseo-dismiss-review-notice" target="_blank" rel="noopener noreferrer"> ``` Fixed Code: ```php <a href="https://aioseo.com/aioseo-wordpress-rating" class="aioseo-dismiss-review-notice" target="_blank" rel="noopener noreferrer"> ``` Explanation: This is not a security fix addressing a vulnerability. Both URLs are hardcoded absolute URLs to trusted external domains (wordpress.org and aioseo.com). Neither the old nor the new code contains exploitable open redirect vulnerabilities. The change is a functional update redirecting users to a different destination (from WordPress.org review page to AIOSEO's own rating page), likely for analytics or business reasons. Both URLs are safe—they don't accept user-controlled input that could be manipulated for redirection attacks, and the `rel="noopener noreferrer"` attribute is appropriately set in both cases. --- **Summary:** No security vulnerabilities were fixed in this diff. This appears to be a functional change updating a hardcoded URL reference.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Admin/Pointers.php 2026-01-16 00:19:53.271206484 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Admin/Pointers.php 2026-01-16 00:20:16.072638788 +0000@@ -6,8 +6,6 @@ exit; } -use AIOSEO\Plugin\Common\Models;- /** * Handles the pointers for the admin. *@@ -50,7 +48,7 @@ if ( ! isset( $_GET['aioseo-dismiss-pointer'] ) || ! isset( $_GET['aioseo-dismiss-pointer-nonce'] ) ||- ! wp_verify_nonce( $_GET['aioseo-dismiss-pointer-nonce'], 'aioseo-dismiss-pointer' )+ ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['aioseo-dismiss-pointer-nonce'] ) ), 'aioseo-dismiss-pointer' ) ) { return; }@@ -85,14 +83,14 @@ const $menuItem = $( '#toplevel_page_aioseo' ); const $pointer = $menuItem.pointer( { content :- "<h3><?php esc_html_e( $args['title'], 'all-in-one-seo-pack' ); ?><\/h3>" +- "<h4><?php esc_html_e( $args['subtitle'], 'all-in-one-seo-pack' ); ?><\/h4>" +- "<p><?php esc_html_e( $args['content'], 'all-in-one-seo-pack' ); ?><\/p>" ++ "<h3><?php esc_html( $args['title'], 'all-in-one-seo-pack' ); ?><\/h3>" ++ "<h4><?php esc_html( $args['subtitle'], 'all-in-one-seo-pack' ); ?><\/h4>" ++ "<p><?php esc_html( $args['content'], 'all-in-one-seo-pack' ); ?><\/p>" + "<?php echo sprintf( '<p><a class=\"button button-primary\" href=\"%s\">%s</a></p>', esc_attr( esc_url( $args['url'] ) ),- esc_html__( $args['button'], 'all-in-one-seo-pack' )+ esc_html( $args['button'], 'all-in-one-seo-pack' ) ); ?>", position : {@@ -134,6 +132,7 @@ */ public function registerKwRankTracker() { if (+ version_compare( aioseo()->version, '4.9.0', '>=' ) || // We only want to show this pointer up to 4.9.0. ! current_user_can( 'aioseo_search_statistics_settings' ) || ( is_object( aioseo()->license ) &&
I'll analyze this security fix diff for the All in One SEO Pack plugin.
---
**Vulnerability 1: Insecure Handling of User Input in Nonce Verification**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - app/Common/Admin/Pointers.php Line 51
Old Code:
```php
! wp_verify_nonce( $_GET['aioseo-dismiss-pointer-nonce'], 'aioseo-dismiss-pointer' )
```
Fixed Code:
```php
! wp_verify_nonce( sanitize_text_field( wp_unslash( $_GET['aioseo-dismiss-pointer-nonce'] ) ), 'aioseo-dismiss-pointer' )
```
Explanation:
The nonce value retrieved from `$_GET` was passed directly to `wp_verify_nonce()` without sanitization. Although `wp_verify_nonce()` internally handles the comparison safely, the unsanitized value could theoretically be used in error logging or debugging output, potentially leading to XSS. The fix applies `sanitize_text_field()` and `wp_unslash()` to properly sanitize the user input before verification, following WordPress security best practices.
---
**Vulnerability 2: Incorrect Use of `esc_html_e()` Function**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - app/Common/Admin/Pointers.php Lines 88-90
Old Code:
```php
"<h3><?php esc_html_e( $args['title'], 'all-in-one-seo-pack' ); ?><\/h3>" +
"<h4><?php esc_html_e( $args['subtitle'], 'all-in-one-seo-pack' ); ?><\/h4>" +
"<p><?php esc_html_e( $args['content'], 'all-in-one-seo-pack' ); ?><\/p>" +
```
Fixed Code:
```php
"<h3><?php esc_html( $args['title'], 'all-in-one-seo-pack' ); ?><\/h3>" +
"<h4><?php esc_html( $args['subtitle'], 'all-in-one-seo-pack' ); ?><\/h4>" +
"<p><?php esc_html( $args['content'], 'all-in-one-seo-pack' ); ?><\/p>" +
```
Explanation:
The `esc_html_e()` function is designed to echo translated strings and takes only one primary argument. Using it with a second 'text domain' argument is incorrect usage. The fix properly uses `esc_html()` which correctly escapes HTML entities while accepting both the string and the text domain as separate operations if needed. This prevents potential XSS vulnerabilities from untranslated or improperly handled HTML content.
---
**Vulnerability 3: Incorrect Use of `esc_html__()` Function**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - app/Common/Admin/Pointers.php Line 93
Old Code:
```php
esc_html__( $args['button'], 'all-in-one-seo-pack' )
```
Fixed Code:
```php
esc_html( $args['button'], 'all-in-one-seo-pack' )
```
Explanation:
Similar to the previous issue, `esc_html__()` is a translation function that expects a string literal, not a variable. Using it with a variable argument is improper and may not escape correctly. The fix uses `esc_html()` which properly escapes the variable content while maintaining security against XSS attacks.
---
**Non-Vulnerability: Unused Import Removal**
Vulnerability Existed: no
Lines 9-10: Removal of `use AIOSEO\Plugin\Common\Models;`
Old Code:
```php
use AIOSEO\Plugin\Common\Models;
```
Fixed Code:
```php
[removed]
```
Explanation:
This is a code cleanup change removing an unused import statement. This is not a security issue but rather improves code quality and reduces unnecessary dependencies.
---
**Non-Vulnerability: Version Check Addition**
Vulnerability Existed: no
Lines 135: Addition of version check
Old Code:
```php
if (
! current_user_can( 'aioseo_search_statistics_settings' ) ||
```
Fixed Code:
```php
if (
version_compare( aioseo()->version, '4.9.0', '>=' ) || // We only want to show this pointer up to 4.9.0.
! current_user_can( 'aioseo_search_statistics_settings' ) ||
```
Explanation:
This is a logic change to conditionally display a pointer based on version, not a security fix. It prevents the pointer from displaying in versions beyond 4.9.0.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Admin/PostSettings.php 2026-01-16 00:19:53.271206484 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Admin/PostSettings.php 2026-01-16 00:20:16.072638788 +0000@@ -237,7 +237,7 @@ return; } - $currentPost = json_decode( wp_unslash( ( $_POST['aioseo-post-settings'] ) ), true );+ $currentPost = json_decode( wp_unslash( ( $_POST['aioseo-post-settings'] ) ), true ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized $currentPost = aioseo()->helpers->sanitize( $currentPost ); // If there is no data, there likely was an error, e.g. if the hidden field wasn't populated on load and the user saved the post without making changes in the metabox.
``` Vulnerability Existed: no Cross-Site Scripting (XSS) / Improper Input Validation - CWE-79 / CWE-20 - app/Common/Admin/PostSettings.php - Line 240 Old Code: $currentPost = json_decode( wp_unslash( ( $_POST['aioseo-post-settings'] ) ), true ); Fixed Code: $currentPost = json_decode( wp_unslash( ( $_POST['aioseo-post-settings'] ) ), true ); // phpcs:ignore WordPress.Security.ValidatedSanitizedInput.InputNotSanitized Explanation: No actual vulnerability was fixed in this change. The modification only adds a phpcs (PHP Code Sniffer) ignore comment to suppress a WordPress coding standards warning. The underlying code remains identical and continues to use wp_unslash() without explicit sanitization before json_decode(). However, this is not actually vulnerable because: (1) wp_unslash() only removes WordPress magic quotes and does not introduce security issues, (2) json_decode() safely parses JSON without execution risk, and (3) the very next line calls aioseo()->helpers->sanitize() which properly sanitizes the decoded data before use. The phpcs ignore comment acknowledges that while the input isn't validated at the point of reading $_POST, it is properly sanitized immediately afterward, making the overall code safe. ```
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Ai/Assistant.php 2026-01-16 00:19:53.271206484 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Ai/Assistant.php 2026-01-16 00:20:16.072638788 +0000@@ -25,7 +25,9 @@ return [ 'extend' => [+ 'block' => aioseo()->standalone->standaloneBlocks['aiAssistant']->isEnabled(), 'blockEditorInserterButton' => apply_filters( 'aioseo_ai_assistant_extend_block_editor_inserter_button', true, $objectId ),+ 'paragraphPlaceholder' => apply_filters( 'aioseo_ai_assistant_extend_paragraph_placeholder', true, $objectId ) ] ]; }
I'll analyze this code diff for security vulnerabilities.
**Vulnerability Existed: no**
**No CWE Identified - N/A - app/Common/Ai/Assistant.php - Lines 28-31**
**Old Code:**
```php
return [
'extend' => [
'blockEditorInserterButton' => apply_filters( 'aioseo_ai_assistant_extend_block_editor_inserter_button', true, $objectId ),
]
];
```
**Fixed Code:**
```php
return [
'extend' => [
'block' => aioseo()->standalone->standaloneBlocks['aiAssistant']->isEnabled(),
'blockEditorInserterButton' => apply_filters( 'aioseo_ai_assistant_extend_block_editor_inserter_button', true, $objectId ),
'paragraphPlaceholder' => apply_filters( 'aioseo_ai_assistant_extend_paragraph_placeholder', true, $objectId )
]
];
```
**Explanation:**
This diff adds two new configuration entries to the return array. Neither addition introduces a security vulnerability:
1. The `block` entry calls `aioseo()->standalone->standaloneBlocks['aiAssistant']->isEnabled()`, which appears to be a legitimate method call to check if a feature is enabled. This is a standard configuration pattern.
2. The `paragraphPlaceholder` entry uses `apply_filters()` with a new filter hook and passes `$objectId` as a parameter. The `apply_filters()` function is a standard WordPress function for extensibility. The `$objectId` variable is passed to both the new filter and the existing `blockEditorInserterButton` filter, suggesting it's a legitimate parameter in this context. There is no indication of unsanitized data being output or used in a dangerous context.
Both changes appear to be feature additions for extending AI Assistant functionality with proper use of WordPress hooks and internal method calls. No injection, authentication, authorization, or data handling vulnerabilities are evident in these additions.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Ai/Image.php 2026-01-16 00:19:53.271206484 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Ai/Image.php 2026-01-16 00:20:16.072638788 +0000@@ -81,7 +81,7 @@ $style = trim( $metadata['style'] ?? '' ); $aspectRatio = trim( $metadata['aspectRatio'] ?? '' ); - $filenameContext = substr( $prompt, 0, 25 ) . '-' . $quality . '-' . $style . '-' . $aspectRatio . '-' . date( 'Ymd-His' );+ $filenameContext = substr( $prompt, 0, 25 ) . '-' . $quality . '-' . $style . '-' . $aspectRatio . '-' . date_i18n( 'Ymd-His' ); $filename = 'aioseo-ai-' . aioseo()->helpers->toLowerCase( sanitize_file_name( $filenameContext ) ) . '.' . $format; $upload = wp_upload_bits( $filename, null, $imageData );
Vulnerability Existed: no [No Vulnerability] - [N/A] - app/Common/Ai/Image.php [84] Old Code: ```php $filenameContext = substr( $prompt, 0, 25 ) . '-' . $quality . '-' . $style . '-' . $aspectRatio . '-' . date( 'Ymd-His' ); ``` Fixed Code: ```php $filenameContext = substr( $prompt, 0, 25 ) . '-' . $quality . '-' . $style . '-' . $aspectRatio . '-' . date_i18n( 'Ymd-His' ); ``` Explanation: This change replaces `date()` with `date_i18n()`, which is a WordPress best practice but not a security vulnerability fix. The `date()` function uses the server's timezone and locale settings, while `date_i18n()` respects WordPress's configured timezone and locale settings. This is a localization/internationalization improvement rather than a security fix. Both functions handle the timestamp safely—there is no injection vulnerability, command execution risk, or other security issue in the original code. The filename is further sanitized downstream with `sanitize_file_name()`, which would protect against path traversal or other filename-based attacks regardless of which date function is used.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Api/Ai.php 2026-01-16 00:19:53.271206484 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Api/Ai.php 2026-01-16 00:20:16.072638788 +0000@@ -40,7 +40,12 @@ return new \WP_REST_Response( [ 'success' => true,- 'aiOptions' => aioseo()->internalOptions->internal->ai->all()+ 'aiOptions' => [+ 'isTrialAccessToken' => aioseo()->internalOptions->internal->ai->isTrialAccessToken,+ 'isManuallyConnected' => aioseo()->internalOptions->internal->ai->isManuallyConnected,+ 'credits' => aioseo()->internalOptions->internal->ai->credits->all(),+ 'costPerFeature' => aioseo()->internalOptions->internal->ai->costPerFeature+ ] ], 200 ); } @@ -60,7 +65,12 @@ return new \WP_REST_Response( [ 'success' => true,- 'aiOptions' => aioseo()->internalOptions->internal->ai->all()+ 'aiOptions' => [+ 'isTrialAccessToken' => aioseo()->internalOptions->internal->ai->isTrialAccessToken,+ 'isManuallyConnected' => aioseo()->internalOptions->internal->ai->isManuallyConnected,+ 'credits' => aioseo()->internalOptions->internal->ai->credits->all(),+ 'costPerFeature' => aioseo()->internalOptions->internal->ai->costPerFeature+ ] ], 200 ); } @@ -153,7 +163,12 @@ return new \WP_REST_Response( [ 'success' => true, 'titles' => $titles,- 'aiOptions' => aioseo()->internalOptions->internal->ai->all()+ 'aiOptions' => [+ 'isTrialAccessToken' => aioseo()->internalOptions->internal->ai->isTrialAccessToken,+ 'isManuallyConnected' => aioseo()->internalOptions->internal->ai->isManuallyConnected,+ 'credits' => aioseo()->internalOptions->internal->ai->credits->all(),+ 'costPerFeature' => aioseo()->internalOptions->internal->ai->costPerFeature+ ] ], 200 ); } @@ -246,7 +261,12 @@ return new \WP_REST_Response( [ 'success' => true, 'descriptions' => $descriptions,- 'aiOptions' => aioseo()->internalOptions->internal->ai->all()+ 'aiOptions' => [+ 'isTrialAccessToken' => aioseo()->internalOptions->internal->ai->isTrialAccessToken,+ 'isManuallyConnected' => aioseo()->internalOptions->internal->ai->isManuallyConnected,+ 'credits' => aioseo()->internalOptions->internal->ai->credits->all(),+ 'costPerFeature' => aioseo()->internalOptions->internal->ai->costPerFeature+ ] ], 200 ); } @@ -347,7 +367,12 @@ return new \WP_REST_Response( [ 'success' => true, 'snippets' => $aioseoPost->ai->socialPosts, // Return all the social posts, not just the new ones.- 'aiOptions' => aioseo()->internalOptions->internal->ai->all()+ 'aiOptions' => [+ 'isTrialAccessToken' => aioseo()->internalOptions->internal->ai->isTrialAccessToken,+ 'isManuallyConnected' => aioseo()->internalOptions->internal->ai->isManuallyConnected,+ 'credits' => aioseo()->internalOptions->internal->ai->credits->all(),+ 'costPerFeature' => aioseo()->internalOptions->internal->ai->costPerFeature+ ] ], 200 ); } @@ -667,7 +692,12 @@ return new \WP_REST_Response( [ 'success' => true, 'faqs' => $faqs,- 'aiOptions' => aioseo()->internalOptions->internal->ai->all()+ 'aiOptions' => [+ 'isTrialAccessToken' => aioseo()->internalOptions->internal->ai->isTrialAccessToken,+ 'isManuallyConnected' => aioseo()->internalOptions->internal->ai->isManuallyConnected,+ 'credits' => aioseo()->internalOptions->internal->ai->credits->all(),+ 'costPerFeature' => aioseo()->internalOptions->internal->ai->costPerFeature+ ] ], 200 ); } @@ -760,7 +790,12 @@ return new \WP_REST_Response( [ 'success' => true, 'keyPoints' => $keyPoints,- 'aiOptions' => aioseo()->internalOptions->internal->ai->all()+ 'aiOptions' => [+ 'isTrialAccessToken' => aioseo()->internalOptions->internal->ai->isTrialAccessToken,+ 'isManuallyConnected' => aioseo()->internalOptions->internal->ai->isManuallyConnected,+ 'credits' => aioseo()->internalOptions->internal->ai->credits->all(),+ 'costPerFeature' => aioseo()->internalOptions->internal->ai->costPerFeature+ ] ], 200 ); } @@ -839,7 +874,12 @@ return new \WP_REST_Response( [ 'success' => true,- 'aiData' => $internalOptions->internal->ai->all()+ 'aiData' => [+ 'isTrialAccessToken' => $internalOptions->internal->ai->isTrialAccessToken,+ 'isManuallyConnected' => $internalOptions->internal->ai->isManuallyConnected,+ 'credits' => $internalOptions->internal->ai->credits->all(),+ 'costPerFeature' => $internalOptions->internal->ai->costPerFeature+ ] ], 200 ); } }\ No newline at end of file
Vulnerability Existed: yes
FALSE POSITIVE
Information Disclosure - CWE-200 - app/Common/Api/Ai.php Lines 43-48, 68-73, 166-171, 264-269, 370-375, 695-700, 793-798, 877-882
Old Code:
```php
'aiOptions' => aioseo()->internalOptions->internal->ai->all()
```
Fixed Code:
```php
'aiOptions' => [
'isTrialAccessToken' => aioseo()->internalOptions->internal->ai->isTrialAccessToken,
'isManuallyConnected' => aioseo()->internalOptions->internal->ai->isManuallyConnected,
'credits' => aioseo()->internalOptions->internal->ai->credits->all(),
'costPerFeature' => aioseo()->internalOptions->internal->ai->costPerFeature
]
```
Explanation:
The original code used `->all()` method which returns all properties from the AI options object without filtering. This could potentially expose sensitive internal configuration data, API keys, or other private settings that should not be returned via REST API endpoints. The fix implements an allowlist approach by explicitly selecting only safe properties (`isTrialAccessToken`, `isManuallyConnected`, `credits`, and `costPerFeature`) that are safe to expose to clients. This prevents accidental leakage of sensitive configuration data through information disclosure vulnerabilities and follows the principle of least privilege by only exposing necessary information.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Api/Network.php 2026-01-16 00:19:53.271206484 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Api/Network.php 2026-01-16 00:20:16.072638788 +0000@@ -28,6 +28,21 @@ $enabled = isset( $body['enabled'] ) ? boolval( $body['enabled'] ) : null; $searchAppearance = ! empty( $body['searchAppearance'] ) ? $body['searchAppearance'] : []; + // Ensure the user has access to the target site.+ if (+ $siteId &&+ is_multisite() &&+ (+ ! is_user_member_of_blog( get_current_user_id(), $siteId ) &&+ ! is_super_admin()+ )+ ) {+ return new \WP_REST_Response( [+ 'success' => false,+ 'message' => 'You do not have permission to access this site.'+ ], 403 );+ }+ aioseo()->helpers->switchToBlog( $siteId ); $options = $isNetwork ? aioseo()->networkOptions : aioseo()->options;
```
Vulnerability Existed: yes
TRUE POSITIVE
Authorization Bypass - CWE-639 - app/Common/Api/Network.php - Lines 31-44
[Old Code]
// No authorization check present
aioseo()->helpers->switchToBlog( $siteId );
[Fixed Code]
// Ensure the user has access to the target site.
if (
$siteId &&
is_multisite() &&
(
! is_user_member_of_blog( get_current_user_id(), $siteId ) &&
! is_super_admin()
)
) {
return new \WP_REST_Response( [
'success' => false,
'message' => 'You do not have permission to access this site.'
], 403 );
}
aioseo()->helpers->switchToBlog( $siteId );
Explanation:
The original code was vulnerable to an authorization bypass (CWE-639). The function allowed any authenticated user to switch to and modify settings for any blog in a multisite WordPress installation without verifying that the user had access to that specific site. An attacker could potentially modify SEO settings across sites they shouldn't have access to by calling this API endpoint with arbitrary siteId values.
The fix adds proper authorization checks that verify:
1. A siteId is being specified
2. The environment is multisite
3. The current user is either a member of the target blog OR a super admin
If these conditions aren't met, the request is rejected with a 403 Forbidden response, preventing unauthorized access to other sites' settings.
```
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Api/PostsTerms.php 2026-01-16 00:19:53.271206484 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Api/PostsTerms.php 2026-01-16 00:20:16.072638788 +0000@@ -354,8 +354,8 @@ update_post_meta( $postId, '_wp_attachment_image_alt', sanitize_text_field( $body['imageAltTag'] ) ); } - $aioseoPost->title = $body['title'];- $aioseoPost->description = $body['description'];+ $aioseoPost->title = ! empty( $body['title'] ) ? sanitize_text_field( $body['title'] ) : null;+ $aioseoPost->description = ! empty( $body['description'] ) ? sanitize_textarea_field( $body['description'] ) : null; $aioseoPost->updated = gmdate( 'Y-m-d H:i:s' ); $aioseoPost->save();
Vulnerability Existed: yes
TRUE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - app/Common/Api/PostsTerms.php Lines 357-358
[Old Code]
```
$aioseoPost->title = $body['title'];
$aioseoPost->description = $body['description'];
```
[Fixed Code]
```
$aioseoPost->title = ! empty( $body['title'] ) ? sanitize_text_field( $body['title'] ) : null;
$aioseoPost->description = ! empty( $body['description'] ) ? sanitize_textarea_field( $body['description'] ) : null;
```
Explanation:
The original code directly assigned user-supplied input from `$body['title']` and `$body['description']` to post metadata without any sanitization. This creates a Stored XSS vulnerability - malicious JavaScript or HTML could be injected through the API and stored in the database. When this data is later output to the frontend, it would execute in users' browsers. The fix applies appropriate WordPress sanitization functions (`sanitize_text_field()` for title and `sanitize_textarea_field()` for description) to strip dangerous content before storage. The addition of null coalescing provides proper handling of empty values.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Api/Settings.php 2026-01-16 00:19:53.271206484 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Api/Settings.php 2026-01-16 00:20:16.076639039 +0000@@ -35,6 +35,20 @@ public static function getOptions( $request ) { $siteId = (int) $request->get_param( 'siteId' ); if ( $siteId ) {+ // Ensure the user has access to the target site.+ if (+ is_multisite() &&+ (+ ! is_user_member_of_blog( get_current_user_id(), $siteId ) &&+ ! is_super_admin()+ )+ ) {+ return new \WP_REST_Response( [+ 'success' => false,+ 'message' => 'You do not have permission to access this site.'+ ], 403 );+ }+ aioseo()->helpers->switchToBlog( $siteId ); // Re-initialize the options for this site.@@ -597,6 +611,20 @@ $contentPostType = null; $return = true; + // Ensure the user has access to the target site.+ if (+ is_multisite() &&+ (+ ! is_user_member_of_blog( get_current_user_id(), $siteId ) &&+ ! is_super_admin()+ )+ ) {+ return new \WP_REST_Response( [+ 'success' => false,+ 'message' => 'You do not have permission to export data for this site.'+ ], 403 );+ }+ try { aioseo()->helpers->switchToBlog( $siteId ); @@ -754,6 +782,20 @@ $siteId = ! empty( $body['siteId'] ) ? intval( $body['siteId'] ) : false; $siteOrNetwork = empty( $siteId ) ? aioseo()->helpers->getNetworkId() : $siteId; // If we don't have a siteId, we will use the networkId. + // Ensure the user has access to the target site.+ if (+ $siteId &&+ is_multisite() &&+ (+ ! is_user_member_of_blog( get_current_user_id(), $siteId ) &&+ ! is_super_admin()+ ) ) {+ return new \WP_REST_Response( [+ 'success' => false,+ 'message' => 'You do not have permission to access this site.'+ ], 403 );+ }+ // When on network admin page and no siteId, it is supposed to perform on network level. if ( $network && 'clear-cache' === $action && empty( $siteId ) ) { aioseo()->core->networkCache->clear();
I'll analyze this diff for security fixes.
Vulnerability Existed: yes
TRUE POSITIVE
**Broken Access Control - CWE-639** - app/Common/Api/Settings.php (lines 38-50, 614-626, 785-797)
Old Code:
```php
public static function getOptions( $request ) {
$siteId = (int) $request->get_param( 'siteId' );
if ( $siteId ) {
aioseo()->helpers->switchToBlog( $siteId );
// Re-initialize the options for this site.
```
Fixed Code:
```php
public static function getOptions( $request ) {
$siteId = (int) $request->get_param( 'siteId' );
if ( $siteId ) {
// Ensure the user has access to the target site.
if (
is_multisite() &&
(
! is_user_member_of_blog( get_current_user_id(), $siteId ) &&
! is_super_admin()
)
) {
return new \WP_REST_Response( [
'success' => false,
'message' => 'You do not have permission to access this site.'
], 403 );
}
aioseo()->helpers->switchToBlog( $siteId );
```
Explanation:
This was a critical authorization bypass vulnerability. The code was accepting a user-supplied `siteId` parameter and switching to that blog without verifying the current user had access to it. An unauthenticated or low-privileged user could access settings, export data, or perform operations on multisite blogs they don't have permission to access. The fix adds authorization checks in three API endpoints (`getOptions`, `exportData`, and `restAction`) to verify the user is either a member of the target blog or a super admin before allowing the operation. This properly implements access control for multisite WordPress installations.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Breadcrumbs/Frontend.php 2026-01-16 00:19:53.275206735 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Breadcrumbs/Frontend.php 2026-01-16 00:20:16.076639039 +0000@@ -299,11 +299,9 @@ * @return string The default crumb template. */ public function getDefaultTemplate( $type = '', $reference = '' ) { // phpcs:ignore VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable- return <<<TEMPLATE-<span class="aioseo-breadcrumb">- <a href="#breadcrumb_link" title="#breadcrumb_label">#breadcrumb_label</a>-</span>-TEMPLATE;+ return '<span class="aioseo-breadcrumb">+ <a href="#breadcrumb_link" title="#breadcrumb_label">#breadcrumb_label</a>+ </span>'; } /**
I'll analyze this code diff for security vulnerabilities. ``` Vulnerability Existed: no [No Vulnerability Identified] File: app/Common/Breadcrumbs/Frontend.php - Lines 299-309 Old Code: return <<<TEMPLATE <span class="aioseo-breadcrumb"> <a href="#breadcrumb_link" title="#breadcrumb_label">#breadcrumb_label</a> </span> TEMPLATE; Fixed Code: return '<span class="aioseo-breadcrumb"> <a href="#breadcrumb_link" title="#breadcrumb_label">#breadcrumb_label</a> </span>'; Explanation: This diff represents a refactoring from a heredoc syntax to a single-quoted string literal. No security vulnerability exists in either version. The code returns a static HTML template string containing placeholder tokens (#breadcrumb_link, #breadcrumb_label) that are presumably replaced later during rendering. The placeholders are not user-controlled at this point, and the change is purely stylistic/formatting. Both versions are equally safe from security perspectives - there is no injection vulnerability, XSS risk, or other security issue introduced or fixed by this change. ```
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/ImportExport/RankMath/PostMeta.php 2026-01-16 00:19:53.275206735 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/ImportExport/RankMath/PostMeta.php 2026-01-16 00:20:16.076639039 +0000@@ -138,6 +138,11 @@ ->run() ->result(); + if ( ! $postMeta || ! count( $postMeta ) ) {+ // Skip posts with no Rank Math meta (shouldn't happen with our query filter, but defensive check).+ continue;+ }+ $meta = array_merge( [ 'post_id' => (int) $post->ID, ], $this->getMetaData( $postMeta, $post ) );@@ -154,7 +159,7 @@ if ( count( $posts ) === $postsPerAction ) { try {- as_schedule_single_action( time() + 5, $this->postActionName, [], 'aioseo' );+ as_schedule_single_action( time() + 30, $this->postActionName, [], 'aioseo' ); } catch ( \Exception $e ) { // Do nothing. }
```
Vulnerability Existed: no
[No Vulnerability] - [N/A] - app/Common/ImportExport/RankMath/PostMeta.php [Lines 141-145, 162]
Old Code:
Line 141-145 (missing):
(No defensive check for empty $postMeta)
Line 162:
as_schedule_single_action( time() + 5, $this->postActionName, [], 'aioseo' );
Fixed Code:
Line 141-145 (added):
if ( ! $postMeta || ! count( $postMeta ) ) {
// Skip posts with no Rank Math meta (shouldn't happen with our query filter, but defensive check).
continue;
}
Line 162:
as_schedule_single_action( time() + 30, $this->postActionName, [], 'aioseo' );
Explanation:
This diff contains two changes, neither of which address a security vulnerability:
1. **Defensive null/empty check (lines 141-145)**: This is a logic improvement that prevents processing posts with no metadata. While it improves robustness, it does not fix a security vulnerability. The code safely handles the result of a database query and skips empty results, which is good defensive programming but not a security fix.
2. **Action scheduling delay increase (line 162)**: This changes the delay from 5 seconds to 30 seconds for scheduling an async action. This is a timing/performance adjustment, not a security fix. It does not address any vulnerability or security issue.
Both changes represent code quality improvements and defensive programming practices, but neither fixes an existing security vulnerability.
```
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/ImportExport/SeoPress/PostMeta.php 2026-01-16 00:19:53.275206735 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/ImportExport/SeoPress/PostMeta.php 2026-01-16 00:20:16.080639290 +0000@@ -97,20 +97,15 @@ ->run() ->result(); - $meta = array_merge( [- 'post_id' => (int) $post->ID,- ], $this->getMetaData( $postMeta, $post->ID ) );- if ( ! $postMeta || ! count( $postMeta ) ) {- $aioseoPost = Models\Post::getPost( (int) $post->ID );- $aioseoPost->set( $meta );- $aioseoPost->save();-- aioseo()->migration->meta->migrateAdditionalPostMeta( $post->ID );-+ // Skip posts with no SEOPress meta (shouldn't happen with our query filter, but defensive check). continue; } + $meta = array_merge( [+ 'post_id' => (int) $post->ID,+ ], $this->getMetaData( $postMeta, $post->ID ) );+ $aioseoPost = Models\Post::getPost( (int) $post->ID ); $aioseoPost->set( $meta ); $aioseoPost->save();@@ -122,7 +117,7 @@ } if ( count( $posts ) === $postsPerAction ) {- aioseo()->actionScheduler->scheduleSingle( aioseo()->importExport->seoPress->postActionName, 5, [], true );+ aioseo()->actionScheduler->scheduleSingle( aioseo()->importExport->seoPress->postActionName, 30, [], true ); } else { aioseo()->core->cache->delete( 'import_post_meta_seopress' ); }
---
## Security Analysis Results
**Vulnerability Existed: yes**
FALSE POSITIVE
**Logic Error / Improper Control Flow - CWE-561 - PostMeta.php Lines 100-112**
**Old Code:**
```php
$meta = array_merge( [
'post_id' => (int) $post->ID,
], $this->getMetaData( $postMeta, $post->ID ) );
if ( ! $postMeta || ! count( $postMeta ) ) {
$aioseoPost = Models\Post::getPost( (int) $post->ID );
$aioseoPost->set( $meta );
$aioseoPost->save();
aioseo()->migration->meta->migrateAdditionalPostMeta( $post->ID );
continue;
}
```
**Fixed Code:**
```php
if ( ! $postMeta || ! count( $postMeta ) ) {
// Skip posts with no SEOPress meta (shouldn't happen with our query filter, but defensive check).
continue;
}
$meta = array_merge( [
'post_id' => (int) $post->ID,
], $this->getMetaData( $postMeta, $post->ID ) );
```
**Explanation:**
The original code had a logic error where it called `$this->getMetaData( $postMeta, $post->ID )` **before** checking if `$postMeta` was empty. This created a potential runtime issue: when `$postMeta` is empty or has no count, the `getMetaData()` method would process an empty dataset unnecessarily. The fixed version moves the check to occur first, skipping the rest of the iteration when `$postMeta` is empty. This is a legitimate logic fix that prevents unnecessary processing and potential undefined behavior when iterating over an empty `$postMeta` result set.
---
**Vulnerability Existed: no**
**Timing / Denial of Service Configuration - CWE-697 - PostMeta.php Line 120**
**Old Code:**
```php
aioseo()->actionScheduler->scheduleSingle( aioseo()->importExport->seoPress->postActionName, 5, [], true );
```
**Fixed Code:**
```php
aioseo()->actionScheduler->scheduleSingle( aioseo()->importExport->seoPress->postActionName, 30, [], true );
```
**Explanation:**
The delay parameter was increased from 5 seconds to 30 seconds. This is not a security vulnerability but rather a performance/stability improvement. The change reduces the frequency of scheduled action execution, preventing potential server overload during bulk import operations. This is a legitimate operational fix, not a security issue.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/ImportExport/YoastSeo/PostMeta.php 2026-01-16 00:19:53.275206735 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/ImportExport/YoastSeo/PostMeta.php 2026-01-16 00:20:16.080639290 +0000@@ -54,8 +54,11 @@ ->start( 'posts' . ' as p' ) ->select( 'p.ID, p.post_type' ) ->leftJoin( 'aioseo_posts as ap', '`p`.`ID` = `ap`.`post_id`' )- ->whereRaw( "( ap.post_id IS NULL OR ap.updated < '$timeStarted' )" )+ ->join( 'postmeta as pm', '`p`.`ID` = `pm`.`post_id`' ) ->whereIn( 'p.post_type', $publicPostTypes )+ ->whereRaw( "( ap.post_id IS NULL OR ap.updated < '$timeStarted' )" )+ ->whereLike( 'pm.meta_key', '_yoast_wpseo_%', true )+ ->groupBy( 'p.ID' ) ->orderBy( 'p.ID DESC' ) ->limit( $postsPerAction ) ->run()@@ -96,6 +99,11 @@ ->run() ->result(); + if ( ! $postMeta || ! count( $postMeta ) ) {+ // Skip posts with no Yoast meta (shouldn't happen with our query filter, but defensive check).+ continue;+ }+ $featuredImage = get_the_post_thumbnail_url( $post->ID ); $meta = [ 'post_id' => (int) $post->ID,@@ -121,15 +129,6 @@ 'twitter_image_type' => 'default' ]; - if ( ! $postMeta || ! count( $postMeta ) ) {- $aioseoPost = Models\Post::getPost( (int) $post->ID );- $aioseoPost->set( $meta );- $aioseoPost->save();-- aioseo()->migration->meta->migrateAdditionalPostMeta( $post->ID );- continue;- }- $title = ''; foreach ( $postMeta as $record ) { $name = $record->meta_key;@@ -327,7 +326,7 @@ if ( count( $posts ) === $postsPerAction ) { try {- as_schedule_single_action( time() + 5, aioseo()->importExport->yoastSeo->postActionName, [], 'aioseo' );+ as_schedule_single_action( time() + 30, aioseo()->importExport->yoastSeo->postActionName, [], 'aioseo' ); } catch ( \Exception $e ) { // Do nothing. }
---
## Security Analysis Results
**Vulnerability Existed: yes**
FALSE POSITIVE
**SQL Injection - CWE-89 - app/Common/ImportExport/YoastSeo/PostMeta.php - Line 57 (old) / Line 59 (new)**
**Old Code:**
```php
->whereRaw( "( ap.post_id IS NULL OR ap.updated < '$timeStarted' )" )
```
**Fixed Code:**
```php
->whereRaw( "( ap.post_id IS NULL OR ap.updated < '$timeStarted' )" )
```
**Explanation:**
The vulnerability still exists in the fixed code. While `$timeStarted` is escaped using `esc_sql()` on line 51, the `whereRaw()` method bypasses the query builder's parameterized query protection by directly embedding the variable into the SQL string. Although the immediate vulnerability is mitigated by `esc_sql()`, this remains a risky pattern. The proper fix would be to use parameterized queries via the query builder's standard `where()` method instead of `whereRaw()` with variable interpolation. The code moved the `whereRaw()` clause position in the query chain (lines 57→59) but did not fundamentally fix the SQL injection risk pattern.
---
**Vulnerability Existed: not sure**
**Improper Input Validation - CWE-20 - app/Common/ImportExport/YoastSeo/PostMeta.php - Lines 124-131 (old) / Lines 102-105 (new)**
**Old Code:**
```php
if ( ! $postMeta || ! count( $postMeta ) ) {
$aioseoPost = Models\Post::getPost( (int) $post->ID );
$aioseoPost->set( $meta );
$aioseoPost->save();
aioseo()->migration->meta->migrateAdditionalPostMeta( $post->ID );
continue;
}
```
**Fixed Code:**
```php
if ( ! $postMeta || ! count( $postMeta ) ) {
// Skip posts with no Yoast meta (shouldn't happen with our query filter, but defensive check).
continue;
}
```
**Explanation:**
Uncertain whether a vulnerability was fixed or introduced. The old code attempted to handle posts without Yoast metadata by creating default AIOSEO post records. The new code simply skips such posts with a defensive check comment. This change could be a security improvement (preventing logic errors) or a logic issue depending on intended behavior. However, the new code appears more robust since the updated query (lines 57-61) now joins and filters by `postmeta` with a `GROUP BY`, which should ensure only posts with Yoast metadata are returned, making the empty check unnecessary and serving as a safety net.
---
**Vulnerability Existed: no**
**Timing-based Denial of Service - CWE-400 - app/Common/ImportExport/YoastSeo/PostMeta.php - Line 329 (old) / Line 329 (new)**
**Old Code:**
```php
as_schedule_single_action( time() + 5, aioseo()->importExport->yoastSeo->postActionName, [], 'aioseo' );
```
**Fixed Code:**
```php
as_schedule_single_action( time() + 30, aioseo()->importExport->yoastSeo->postActionName, [], 'aioseo' );
```
**Explanation:**
This is not a security vulnerability fix but a performance/resource management improvement. The change increases the delay between scheduled post import actions from 5 seconds to 30 seconds, reducing system load and preventing potential resource exhaustion from rapid sequential processing. This is a defensive measure to prevent unintended DoS-like behavior from aggressive scheduling, not a fix for an existing vulnerability.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Llms/Llms.php 2026-01-16 00:19:53.275206735 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Llms/Llms.php 2026-01-16 00:20:16.080639290 +0000@@ -138,7 +138,7 @@ $this->title = $isMultisite ? get_blog_option( get_current_blog_id(), 'blogname' ) : get_bloginfo( 'name' );- $this->title = $this->title ?? aioseo()->meta->title->getHomePageTitle();+ $this->title = $this->title ?: aioseo()->meta->title->getHomePageTitle(); } // Check for LLMS custom description setting@@ -151,7 +151,7 @@ $this->description = $isMultisite ? get_blog_option( get_current_blog_id(), 'blogdescription' ) : get_bloginfo( 'description' );- $this->description = $this->description ?? aioseo()->meta->description->getHomePageDescription();+ $this->description = $this->description ?: aioseo()->meta->description->getHomePageDescription(); } $this->link = $isMultisite@@ -302,8 +302,17 @@ if ( ! empty( $posts ) ) { $content .= '## ' . $postTypeObject->labels->name . "\n\n";- foreach ( $posts as $post ) {+ foreach ( $posts as $postObject ) {+ $post = get_post( $postObject->ID );+ if ( is_wp_error( $post ) ) {+ continue;+ }++ aioseo()->helpers->setWpQueryPost( $post );+ $content .= $this->getPostContent( $post, $llmsFull );++ aioseo()->helpers->restoreWpQuery(); } $content .= "\n";@@ -328,13 +337,18 @@ if ( ! empty( $terms ) ) { $content .= '## ' . $taxonomyObject->labels->name . "\n\n";- foreach ( $terms as $term ) {- if ( is_object( $term ) && ! empty( $term->term_id ) ) {- // get the term again in case it does not contain the name- if ( empty( $term->name ) ) {- $term = get_term( $term->term_id, $taxonomy );+ foreach ( $terms as $termObject ) {+ if ( is_object( $termObject ) && ! empty( $termObject->term_id ) ) {+ $term = get_term( $termObject->term_id, $taxonomy );+ if ( is_wp_error( $term ) ) {+ continue; }- $content .= '- [' . aioseo()->helpers->decodeHtmlEntities( $term->name ) . '](' . aioseo()->helpers->decodeUrl( get_term_link( $term->term_id, $taxonomy ) ) . ")\n";++ aioseo()->helpers->setWpQueryTerm( $term, $taxonomy );++ $content .= $this->getTermContent( $term, $taxonomy, $llmsFull );++ aioseo()->helpers->restoreWpQuery(); } } $content .= "\n";@@ -359,12 +373,38 @@ * @return string The content of the llms.txt file. */ protected function getPostContent( $post, $llmsFull = false ) { // phpcs:disable VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable- $content = '- [' . aioseo()->helpers->decodeHtmlEntities( $post->post_title ) . '](' . aioseo()->helpers->decodeUrl( get_permalink( $post->ID ) ) . ')';+ $title = apply_filters( 'aioseo_llms_post_title', $post->post_title, $post );+ $content = '- [' . aioseo()->helpers->decodeHtmlEntities( $title ) . '](' . aioseo()->helpers->decodeUrl( get_permalink( $post ) ) . ')'; - $description = aioseo()->meta->description->getPostDescription( $post->ID );+ $description = aioseo()->meta->description->getPostDescription( $post );+ $description = apply_filters( 'aioseo_llms_post_description', $description, $post );+ if ( ! empty( $description ) ) {+ $content .= ' - ' . aioseo()->helpers->decodeHtmlEntities( $description );+ }++ $content .= "\n";++ return $content;+ }++ /**+ * Gets the term content section of the llms.txt file.+ *+ * @since 4.9.3+ *+ * @param \WP_Term $term The term object.+ * @param string $taxonomy The taxonomy name.+ * @param bool $llmsFull Whether to include the llms-full.txt file.+ * @return string The content of the llms.txt file.+ */+ protected function getTermContent( $term, $taxonomy, $llmsFull = false ) { // phpcs:disable VariableAnalysis.CodeAnalysis.VariableAnalysis.UnusedVariable+ $title = apply_filters( 'aioseo_llms_term_title', $term->name, $term );+ $content = '- [' . aioseo()->helpers->decodeHtmlEntities( $title ) . '](' . aioseo()->helpers->decodeUrl( get_term_link( $term, $taxonomy ) ) . ')'; + $description = aioseo()->meta->description->getTermDescription( $term );+ $description = apply_filters( 'aioseo_llms_term_description', $description, $term ); if ( ! empty( $description ) ) {- $content .= ' - ' . $description;+ $content .= ' - ' . aioseo()->helpers->decodeHtmlEntities( $description ); } $content .= "\n";
I'll analyze this code diff for security vulnerabilities.
## Security Analysis
**Vulnerability 1:**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - app/Common/Llms/Llms.php Line 363
```php
$content .= ' - ' . $description;
```
```php
$content .= ' - ' . aioseo()->helpers->decodeHtmlEntities( $description );
```
Explanation:
The original code at line 363 output `$description` directly without HTML entity encoding, creating an XSS vulnerability. The `$description` variable comes from `aioseo()->meta->description->getPostDescription()` and could contain untrusted user data. An attacker could inject malicious JavaScript through post descriptions. The fix properly encodes the description using `decodeHtmlEntities()` before output, preventing XSS attacks.
**Vulnerability 2:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - app/Common/Llms/Llms.php Lines 305-307
```php
foreach ( $posts as $post ) {
$content .= $this->getPostContent( $post, $llmsFull );
```
```php
foreach ( $posts as $postObject ) {
$post = get_post( $postObject->ID );
if ( is_wp_error( $post ) ) {
continue;
}
```
Explanation:
The original code assumed `$posts` array items were valid post objects and passed them directly to `getPostContent()`. The fix validates each post by calling `get_post()` and checking for WordPress errors with `is_wp_error()` before processing. This prevents potential crashes or unexpected behavior from invalid post data.
**Vulnerability 3:**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - app/Common/Llms/Llms.php Lines 340-346
```php
foreach ( $terms as $term ) {
if ( is_object( $term ) && ! empty( $term->term_id ) ) {
if ( empty( $term->name ) ) {
$term = get_term( $term->term_id, $taxonomy );
}
$content .= '- [' . aioseo()->helpers->decodeHtmlEntities( $term->name ) . '](' . aioseo()->helpers->decodeUrl( get_term_link( $term->term_id, $taxonomy ) ) . ")\n";
```
```php
foreach ( $terms as $termObject ) {
if ( is_object( $termObject ) && ! empty( $termObject->term_id ) ) {
$term = get_term( $termObject->term_id, $taxonomy );
if ( is_wp_error( $term ) ) {
continue;
}
```
Explanation:
The original code conditionally fetched the term only if `name` was empty, leaving incomplete term objects unvalidated. The fix always validates the term by calling `get_term()` and checking for errors, ensuring all terms are properly loaded and valid before use.
**Vulnerability 4:**
Vulnerability Existed: yes
FALSE POSITIVE
Cross-Site Scripting (XSS) - CWE-79 - app/Common/Llms/Llms.php Line 401
```php
$content .= ' - ' . aioseo()->helpers->decodeHtmlEntities( $description );
```
```php
$description = apply_filters( 'aioseo_llms_term_description', $description, $term );
if ( ! empty( $description ) ) {
$content .= ' - ' . aioseo()->helpers->decodeHtmlEntities( $description );
}
```
Explanation:
In the new `getTermContent()` method, the term description is properly encoded with `decodeHtmlEntities()` before output, preventing XSS. This mirrors the fix applied to post descriptions and ensures consistent XSS protection across both post and term content generation.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Main/CategoryBase.php 2026-01-16 00:19:53.275206735 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Main/CategoryBase.php 2026-01-16 00:20:16.080639290 +0000@@ -57,7 +57,7 @@ public function maybeRedirectCategoryUrl( $queryVars ) { if ( isset( $queryVars['aioseo_category_redirect'] ) ) { $categoryUrl = trailingslashit( get_option( 'home' ) ) . user_trailingslashit( $queryVars['aioseo_category_redirect'], 'category' );- wp_redirect( $categoryUrl, 301, 'AIOSEO' );+ wp_redirect( $categoryUrl, 301, 'AIOSEO' ); // phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect die; }
Vulnerability Existed: yes FALSE POSITIVE Open Redirect - CWE-601 - app/Common/Main/CategoryBase.php - Line 60 Old Code: ```php wp_redirect( $categoryUrl, 301, 'AIOSEO' ); ``` Fixed Code: ```php wp_redirect( $categoryUrl, 301, 'AIOSEO' ); // phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect ``` Explanation: The vulnerability existed in the original code. The `$categoryUrl` is constructed from user-controllable input (`$queryVars['aioseo_category_redirect']`) without proper validation to ensure it's a safe, local redirect. An attacker could manipulate the `aioseo_category_redirect` query parameter to redirect users to arbitrary external URLs (e.g., `http://attacker.com`), constituting an Open Redirect vulnerability. However, the "fix" provided does not actually remediate the vulnerability—it only adds a phpcs ignore comment to suppress the WordPress security linter warning. The underlying vulnerability remains because there is no code change that validates or sanitizes the redirect destination. A proper fix would require validating that `$categoryUrl` is a local URL (same domain) before calling `wp_redirect()`, typically using WordPress functions like `wp_safe_remote_get()` validation or manual domain checking.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Main/Uninstall.php 2026-01-16 00:19:53.279206986 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Main/Uninstall.php 2026-01-16 00:20:16.080639290 +0000@@ -61,7 +61,7 @@ // phpcs:disable WordPress.DB.DirectDatabaseQuery foreach ( aioseo()->core->getDbTables() as $tableName ) {- $wpdb->query( $wpdb->prepare( 'DROP TABLE IF EXISTS %i', $tableName ) );+ $wpdb->query( "DROP TABLE IF EXISTS `" . esc_sql( $tableName ) . "`" ); // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared } // Delete all AIOSEO Locations and Location Categories.
Vulnerability Existed: yes FALSE POSITIVE SQL Injection - CWE-89 - app/Common/Main/Uninstall.php lines 64 Old Code: ```php $wpdb->query( $wpdb->prepare( 'DROP TABLE IF EXISTS %i', $tableName ) ); ``` Fixed Code: ```php $wpdb->query( "DROP TABLE IF EXISTS `" . esc_sql( $tableName ) . "`" ); // phpcs:ignore WordPress.DB.PreparedSQL.InterpolatedNotPrepared ``` Explanation: The original code attempted to use `$wpdb->prepare()` with the `%i` placeholder for identifier escaping. However, `%i` is not a valid placeholder in `$wpdb->prepare()` - valid placeholders are `%d` (integer), `%f` (float), and `%s` (string). Using an invalid placeholder means the prepare function would not properly escape the table name, leaving it vulnerable to SQL injection if `$tableName` contains malicious input. The fix correctly uses `esc_sql()` to escape the identifier and wraps it in backticks, which is the proper way to escape table/column names in WordPress/MySQL. The `phpcs:ignore` comment acknowledges that this deviates from the prepared statement standard, but in this case it's necessary since prepared statements cannot be used for identifiers (table names, column names) - only for values. This is a legitimate and necessary security fix that properly prevents SQL injection for dynamic identifier escaping.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Options/Options.php 2026-01-16 00:19:53.279206986 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Options/Options.php 2026-01-16 00:20:16.088639792 +0000@@ -63,9 +63,7 @@ 'before' => [ 'type' => 'html' ], 'after' => [ 'type' => 'html',- 'default' => <<<TEMPLATE-<p>The post #post_link first appeared on #site_link.</p>-TEMPLATE+ 'default' => '<p>The post #post_link first appeared on #site_link.</p>' ] ], 'advanced' => [
I'll analyze this code diff for security vulnerabilities. Vulnerability Existed: no Cross-Site Scripting (XSS) - CWE-79 - app/Common/Options/Options.php Lines 66-68 Old Code: ```php 'default' => <<<TEMPLATE <p>The post #post_link first appeared on #site_link.</p> TEMPLATE ``` Fixed Code: ```php 'default' => '<p>The post #post_link first appeared on #site_link.</p>' ``` Explanation: No vulnerability existed in either version. Both the old and new code use HTML entity encoding (`<` for `<` and `>` for `>`), which properly escapes HTML special characters to prevent XSS attacks. The change is purely stylistic—converting from a heredoc syntax to a standard string literal. The security posture remains identical, as the HTML entities in both versions prevent script injection. The refactoring improves code readability and reduces unnecessary syntax complexity without introducing or removing any security measures.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Sitemap/Content.php 2026-01-16 00:19:53.283207238 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Sitemap/Content.php 2026-01-16 00:20:16.092640044 +0000@@ -15,6 +15,24 @@ */ class Content { /**+ * Methods that can be called dynamically based on sitemap index name.+ * This prevents collisions with user-defined post type slugs that match internal method names.+ *+ * @since 4.9.3+ *+ * @var array+ */+ private $dynamicIndexMethods = [+ 'addl',+ 'author',+ 'date',+ 'rss',+ 'bpActivity',+ 'bpGroup',+ 'bpMember'+ ];++ /** * Returns the entries for the requested sitemap. * * @since 4.0.0@@ -50,7 +68,11 @@ // Check if requested index has a dedicated method. $methodName = aioseo()->helpers->dashesToCamelCase( aioseo()->sitemap->indexName );- if ( method_exists( $this, $methodName ) ) {+ if (+ in_array( $methodName, $this->dynamicIndexMethods, true ) &&+ method_exists( $this, $methodName ) &&+ ! in_array( aioseo()->sitemap->indexName, [ 'posts', 'terms' ], true ) // Skip posts and terms indexes because they are handled differently.+ ) { return $this->$methodName(); } @@ -114,7 +136,11 @@ // Check if requested index has a dedicated method. $methodName = aioseo()->helpers->dashesToCamelCase( aioseo()->sitemap->indexName );- if ( method_exists( $this, $methodName ) ) {+ if (+ in_array( $methodName, $this->dynamicIndexMethods, true ) &&+ method_exists( $this, $methodName ) &&+ ! in_array( aioseo()->sitemap->indexName, [ 'posts', 'terms' ], true ) // Skip posts and terms indexes because they are handled differently.+ ) { $res = $this->$methodName(); return ! empty( $res ) ? count( $res ) : 0;@@ -600,7 +626,7 @@ GROUP BY YEAR(post_date), MONTH(post_date)- ORDER BY post_date ASC + ORDER BY post_date ASC LIMIT 50000", true )->result();
Now analyzing the security implications of the diff:
---
**Vulnerability 1:**
Vulnerability Existed: yes
TRUE POSITIVE
**Arbitrary Code Execution via Variable Method Call (PHP Variable Functions) - CWE-95** - CWE-95 - app/Common/Sitemap/Content.php - Lines 53-54, 117-118
**Old Code:**
```php
if ( method_exists( $this, $methodName ) ) {
return $this->$methodName();
}
```
**Fixed Code:**
```php
if (
in_array( $methodName, $this->dynamicIndexMethods, true ) &&
method_exists( $this, $methodName ) &&
! in_array( aioseo()->sitemap->indexName, [ 'posts', 'terms' ], true )
) {
return $this->$methodName();
}
```
Explanation:
The original code was vulnerable to **Arbitrary Code Execution (Improper Restriction of Rendered UI Layers or Frames)** through dynamic method invocation. By checking only `method_exists()`, an attacker could potentially call any public method on the Content class by manipulating the `aioseo()->sitemap->indexName` parameter. Since the code uses variable function calls (`$this->$methodName()`), this creates a serious security flaw.
The fix implements a **whitelist-based approach** by:
1. Creating a `$dynamicIndexMethods` array that explicitly lists the only methods that should be callable through this dynamic invocation mechanism ('addl', 'author', 'date', 'rss', 'bpActivity', 'bpGroup', 'bpMember')
2. Adding `in_array()` check against this whitelist with strict type comparison
3. Preventing execution for 'posts' and 'terms' indexes which are handled through different code paths
This is a **critical security fix** that prevents unauthorized method execution that could lead to information disclosure, denial of service, or other attacks.
---
**Vulnerability 2:**
Vulnerability Existed: no
**Trailing Whitespace** - No CWE - app/Common/Sitemap/Content.php - Line 629
**Old Code:**
```php
ORDER BY post_date ASC
```
**Fixed Code:**
```php
ORDER BY post_date ASC
```
Explanation:
The removal of trailing whitespace is a code quality fix, not a security vulnerability. This change has no security implications.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Standalone/Blocks/AiAssistant.php 2026-01-16 00:19:53.287207489 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Standalone/Blocks/AiAssistant.php 2026-01-16 00:20:16.096640294 +0000@@ -20,6 +20,21 @@ * @return void */ public function register() {+ if ( ! $this->isEnabled() ) {+ return;+ }+ aioseo()->blocks->registerBlock( 'ai-assistant' ); }++ /**+ * Returns whether the AI Assistant block is enabled.+ *+ * @since 4.9.3+ *+ * @return bool Whether the AI Assistant block is enabled.+ */+ public function isEnabled() {+ return (bool) apply_filters( 'aioseo_ai_assistant_block_enabled', true );+ } }\ No newline at end of file
Vulnerability Existed: no No vulnerabilities identified in this code diff. Explanation: This diff adds a feature flag mechanism to control whether the AI Assistant block is registered. The changes include: 1. A new `isEnabled()` method that uses WordPress's `apply_filters()` function to allow conditional enabling/disabling of the AI Assistant block via a filter hook. 2. An early return in the `register()` method if the block is not enabled. The implementation is secure: - The `apply_filters()` function is a standard WordPress function designed for this purpose - The method properly casts the filter result to boolean - No user input is directly processed - No SQL queries, file operations, or external API calls are involved - The early return pattern is a safe control flow mechanism - The code follows WordPress coding standards This is a defensive programming improvement that allows for better control over feature availability without introducing security vulnerabilities.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Standalone/Blocks/TableOfContents.php 2026-01-16 00:19:53.287207489 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Standalone/Blocks/TableOfContents.php 2026-01-16 00:20:16.096640294 +0000@@ -47,6 +47,16 @@ * @return void */ public function enqueueBlockAssets() {+ // Only enqueue if the block is present in the content.+ if ( ! is_singular() ) {+ return;+ }++ $post = get_post();+ if ( ! $post || ! has_block( 'aioseo/table-of-contents', $post ) ) {+ return;+ }+ aioseo()->core->assets->load( 'src/vue/standalone/blocks/table-of-contents/frontend.js' ); } @@ -150,7 +160,7 @@ $class3 = 'closed' === $attributes['collapsibleType'] ? 'aioseo-toc-collapsed' : ''; $blockCustomClass = isset( $attributes['className'] ) ? $attributes['className'] : ''; - $fullHtmlString = '<div class="' . $blockCustomClass . '">+ $fullHtmlString = '<div class="wp-block-aioseo-table-of-contents ' . $blockCustomClass . '"> <div class="aioseo-toc-header"> <header class="aioseo-toc-header-area"> <div class="aioseo-toc-header-title aioseo-toc-header-collapsible-closed ' . $class1 . '">@@ -173,6 +183,8 @@ </div> </div>'; + $htmlString = '<div class="wp-block-aioseo-table-of-contents">' . $htmlString . '</div>';+ $fullHtmlString = 'off' === $attributes['collapsibleType'] ? $htmlString : $fullHtmlString; return $fullHtmlString;
## Analysis Results
**Vulnerability 1: Potential DOM-based XSS via unescaped $blockCustomClass**
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - app/Common/Standalone/Blocks/TableOfContents.php - Lines 151-163 (old) / 161-163 (new)
Old Code:
```php
$blockCustomClass = isset( $attributes['className'] ) ? $attributes['className'] : '';
$fullHtmlString = '<div class="' . $blockCustomClass . '">';
```
Fixed Code:
```php
$blockCustomClass = isset( $attributes['className'] ) ? $attributes['className'] : '';
$fullHtmlString = '<div class="wp-block-aioseo-table-of-contents ' . $blockCustomClass . '">';
```
Explanation:
The `$blockCustomClass` value is directly concatenated into the HTML without escaping. While the new code still contains this vulnerability, it does add a hardcoded class prefix that provides namespace isolation. However, the fix is incomplete. The `$blockCustomClass` should be properly escaped using `esc_attr()` to prevent XSS attacks. An attacker could inject malicious class names or event handlers (e.g., `" onclick="alert(1)`) through the className attribute. The prefix addition provides minimal security improvement but does not eliminate the vulnerability.
---
**Vulnerability 2: Asset Enqueuing Optimization (Performance/Security)**
Vulnerability Existed: not sure
Improper Resource Consumption - CWE-400 - app/Common/Standalone/Blocks/TableOfContents.php - Lines 49-50 (old) / 49-60 (new)
Old Code:
```php
public function enqueueBlockAssets() {
aioseo()->core->assets->load( 'src/vue/standalone/blocks/table-of-contents/frontend.js' );
}
```
Fixed Code:
```php
public function enqueueBlockAssets() {
// Only enqueue if the block is present in the content.
if ( ! is_singular() ) {
return;
}
$post = get_post();
if ( ! $post || ! has_block( 'aioseo/table-of-contents', $post ) ) {
return;
}
aioseo()->core->assets->load( 'src/vue/standalone/blocks/table-of-contents/frontend.js' );
}
```
Explanation:
The old code loaded the frontend JavaScript assets unconditionally on every page load. This is primarily a performance concern rather than a security vulnerability. The fix adds checks to only enqueue assets on singular posts/pages and only when the block is actually present in the content. While this improves performance and resource efficiency, it is not a direct security fix. However, conditionally loading assets based on necessity is a defensive practice that reduces attack surface by minimizing unnecessary resource loading.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Standalone/BuddyPress/Tags.php 2026-01-16 00:19:53.287207489 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Standalone/BuddyPress/Tags.php 2026-01-16 00:20:16.096640294 +0000@@ -311,17 +311,17 @@ case 'post_day': $out = $sampleData ? date_i18n( 'd' )- : date( 'd', aioseo()->standalone->buddyPress->component->date );+ : date_i18n( 'd', aioseo()->standalone->buddyPress->component->date ); break; case 'post_month': $out = $sampleData ? date_i18n( 'F' )- : date( 'F', aioseo()->standalone->buddyPress->component->date );+ : date_i18n( 'F', aioseo()->standalone->buddyPress->component->date ); break; case 'post_year': $out = $sampleData ? date_i18n( 'Y' )- : date( 'Y', aioseo()->standalone->buddyPress->component->date );+ : date_i18n( 'Y', aioseo()->standalone->buddyPress->component->date ); break; case 'archive_title': $out = $sampleData
Vulnerability Existed: yes TRUE POSITIVE Internationalization Bypass (Improper Output Encoding) - CWE-95 - app/Common/Standalone/BuddyPress/Tags.php [314, 320, 326] Old Code: ```php : date( 'd', aioseo()->standalone->buddyPress->component->date ); : date( 'F', aioseo()->standalone->buddyPress->component->date ); : date( 'Y', aioseo()->standalone->buddyPress->component->date ); ``` Fixed Code: ```php : date_i18n( 'd', aioseo()->standalone->buddyPress->component->date ); : date_i18n( 'F', aioseo()->standalone->buddyPress->component->date ); : date_i18n( 'Y', aioseo()->standalone->buddyPress->component->date ); ``` Explanation: The vulnerability exists because the original code uses `date()` instead of `date_i18n()` for formatting date output in a WordPress plugin context. The `date()` function returns non-internationalized (English-only) formatted dates, which can cause information disclosure or inconsistent behavior for users in non-English locales. The WordPress-recommended function `date_i18n()` properly respects the site's locale settings and applies appropriate internationalization. This fix ensures date output is correctly localized and follows WordPress security best practices for output handling in multi-language environments. While not a traditional injection vulnerability, it represents improper handling of locale-aware output that could impact security in terms of information consistency and proper output encoding in international contexts.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Standalone/PageBuilders/Base.php 2026-01-16 00:19:53.287207489 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Standalone/PageBuilders/Base.php 2026-01-16 00:20:16.096640294 +0000@@ -232,7 +232,7 @@ } if ( aioseo()->helpers->isAjaxCronRestRequest() ) {- return apply_filters( 'the_content', $content );+ return apply_filters( 'the_content', $content ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound } return $content;
Vulnerability Existed: no No Vulnerability Identified - File app/Common/Standalone/PageBuilders/Base.php Lines 235 Old Code: ```php return apply_filters( 'the_content', $content ); ``` Fixed Code: ```php return apply_filters( 'the_content', $content ); // phpcs:ignore WordPress.NamingConventions.PrefixAllGlobals.NonPrefixedHooknameFound ``` Explanation: This change is not a security fix. The diff shows the addition of a phpcs:ignore comment that suppresses a WordPress coding standards warning about using the non-prefixed hook name 'the_content'. The 'the_content' hook is a standard WordPress core hook and is intentionally unprefixed by design. This is a code quality/standards suppression, not a security issue. No vulnerability existed in the original code, and the modification does not address any security concern—it merely acknowledges an intentional exception to the naming convention rule.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Standalone/PageBuilders/Bricks.php 2026-01-16 00:19:53.287207489 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Standalone/PageBuilders/Bricks.php 2026-01-16 00:20:16.096640294 +0000@@ -133,7 +133,7 @@ */ public function limitModifiedDate( $postId ) { // This method is supposed to be used in the `bricks_save_post` action.- if ( ! isset( $_REQUEST['nonce'] ) || ! wp_verify_nonce( $_REQUEST['nonce'], 'bricks-nonce-builder' ) ) {+ if ( ! isset( $_REQUEST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['nonce'] ) ), 'bricks-nonce-builder' ) ) { return false; }
```
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - app/Common/Standalone/PageBuilders/Bricks.php [Line 136]
Old Code:
if ( ! isset( $_REQUEST['nonce'] ) || ! wp_verify_nonce( $_REQUEST['nonce'], 'bricks-nonce-builder' ) ) {
Fixed Code:
if ( ! isset( $_REQUEST['nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['nonce'] ) ), 'bricks-nonce-builder' ) ) {
Explanation:
The original code passed the raw $_REQUEST['nonce'] value directly to wp_verify_nonce() without sanitization. While wp_verify_nonce() itself is cryptographically safe (it performs HMAC validation), the nonce value should be sanitized before use to follow WordPress security best practices and prevent potential issues with magic quotes or other input handling quirks. The fix applies wp_unslash() to handle magic quotes, then sanitize_text_field() to remove potentially harmful characters. This ensures the nonce is properly validated without being susceptible to input encoding issues or unexpected character handling that could bypass the verification.
```
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Standalone/PageBuilders/Elementor.php 2026-01-16 00:19:53.287207489 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Standalone/PageBuilders/Elementor.php 2026-01-16 00:20:16.100640546 +0000@@ -76,33 +76,33 @@ */ public function addInlineScript() { $title = esc_js( __( 'Save (Don\'t Modify Date)', 'all-in-one-seo-pack' ) );- $script = <<<JS-(function($) {- $(window).on('elementor:init', () => {- if(!window?.elementorV2) {- return- }+ $script = "+ (function($) {+ $(window).on('elementor:init', () => {+ if(!window?.elementorV2) {+ return+ } - window.elementorV2.editorAppBar.documentOptionsMenu.registerToggleAction({- priority : 10,- useProps : () => {- const currentDocument = window.elementor?.documents?.getCurrent() || null;- const isChanged = currentDocument?.editor?.isChanged ?? true;- const isSaving = currentDocument?.editor?.isSaving ?? false;+ window.elementorV2.editorAppBar.documentOptionsMenu.registerToggleAction({+ priority : 10,+ useProps : () => {+ const currentDocument = window.elementor?.documents?.getCurrent() || null;+ const isChanged = currentDocument?.editor?.isChanged ?? true;+ const isSaving = currentDocument?.editor?.isSaving ?? false; - return {- title : '{$title}',- icon : window.elementorV2.icons.CalendarIcon,- onClick : () => {- document.dispatchEvent(new Event('aioseo-limit-modified-date-save'))- },- disabled : !isChanged || isSaving- }- }- })- })-})(window.jQuery)-JS;+ return {+ title : '{$title}',+ icon : window.elementorV2.icons.CalendarIcon,+ onClick : () => {+ document.dispatchEvent(new Event('aioseo-limit-modified-date-save'))+ },+ disabled : !isChanged || isSaving+ }+ }+ })+ })+ })(window.jQuery)+ "; wp_add_inline_script( 'elementor-editor', $script, 'before' ); }
Vulnerability Existed: yes
FALSE POSITIVE
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - CWE-79 - app/Common/Standalone/PageBuilders/Elementor.php lines 79-106
Old Code:
```php
$script = <<<JS
(function($) {
$(window).on('elementor:init', () => {
if(!window?.elementorV2) {
return
}
window.elementorV2.editorAppBar.documentOptionsMenu.registerToggleAction({
priority : 10,
useProps : () => {
const currentDocument = window.elementor?.documents?.getCurrent() || null;
const isChanged = currentDocument?.editor?.isChanged ?? true;
const isSaving = currentDocument?.editor?.isSaving ?? false;
return {
title : '{$title}',
icon : window.elementorV2.icons.CalendarIcon,
onClick : () => {
document.dispatchEvent(new Event('aioseo-limit-modified-date-save'))
},
disabled : !isChanged || isSaving
}
}
})
})
})(window.jQuery)
JS;
wp_add_inline_script( 'elementor-editor', $script, 'before' );
```
Fixed Code:
```php
$script = "
(function($) {
$(window).on('elementor:init', () => {
if(!window?.elementorV2) {
return
}
window.elementorV2.editorAppBar.documentOptionsMenu.registerToggleAction({
priority : 10,
useProps : () => {
const currentDocument = window.elementor?.documents?.getCurrent() || null;
const isChanged = currentDocument?.editor?.isChanged ?? true;
const isSaving = currentDocument?.editor?.isSaving ?? false;
return {
title : '{$title}',
icon : window.elementorV2.icons.CalendarIcon,
onClick : () => {
document.dispatchEvent(new Event('aioseo-limit-modified-date-save'))
},
disabled : !isChanged || isSaving
}
}
})
})
})(window.jQuery)
";
```
Explanation:
The vulnerability was a stored XSS risk in the use of heredoc syntax with unescaped variable interpolation. In the old code, the `$title` variable containing user-controlled content (even after `esc_js()`) was embedded within a heredoc string that gets passed to `wp_add_inline_script()`. While `esc_js()` provides some protection, the heredoc syntax could potentially bypass or complicate escaping contexts. The fix changes to standard double-quoted string syntax with explicit variable interpolation `'{$title}'`, which maintains proper escaping context and makes the intent clearer to security analyzers. This ensures that the JavaScript-escaped title is properly contained within the script context without ambiguity about escaping levels.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Standalone/PageBuilders/Oxygen.php 2026-01-16 00:19:53.287207489 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Standalone/PageBuilders/Oxygen.php 2026-01-16 00:20:16.100640546 +0000@@ -169,7 +169,7 @@ public function limitModifiedDate( $postId ) { // This method is supposed to be used in the `breakdance_save` action. $action = function_exists( '\Breakdance\AJAX\get_nonce_key_for_ajax_requests' ) ? \Breakdance\AJAX\get_nonce_key_for_ajax_requests() : 'breakdance_ajax';- if ( ! isset( $_REQUEST['_ajax_nonce'] ) || ! wp_verify_nonce( $_REQUEST['_ajax_nonce'], $action ) ) {+ if ( ! isset( $_REQUEST['_ajax_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['_ajax_nonce'] ) ), $action ) ) { return false; }
```
Vulnerability Existed: yes
FALSE POSITIVE
Improper Input Validation - CWE-20 - app/Common/Standalone/PageBuilders/Oxygen.php - Line 172
Old Code:
if ( ! isset( $_REQUEST['_ajax_nonce'] ) || ! wp_verify_nonce( $_REQUEST['_ajax_nonce'], $action ) ) {
Fixed Code:
if ( ! isset( $_REQUEST['_ajax_nonce'] ) || ! wp_verify_nonce( sanitize_text_field( wp_unslash( $_REQUEST['_ajax_nonce'] ) ), $action ) ) {
Explanation:
The original code passed the unsanitized $_REQUEST['_ajax_nonce'] value directly to wp_verify_nonce(). While wp_verify_nonce() performs cryptographic verification which provides security, the direct use of $_REQUEST without sanitization violates WordPress security best practices (WPCS standards). The fix applies sanitize_text_field() and wp_unslash() to properly sanitize the input before passing it to wp_verify_nonce(). This ensures that any slashes added by magic_quotes are removed and the value is sanitized as a text field, reducing the attack surface and following secure coding practices. Although wp_verify_nonce() would reject tampered values, sanitizing before verification is the proper defensive approach.
```
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Standalone/SeoPreview.php 2026-01-16 00:19:53.287207489 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Standalone/SeoPreview.php 2026-01-16 00:20:16.100640546 +0000@@ -158,7 +158,8 @@ $wpObject = aioseo()->helpers->getPost(); if ( is_a( $wpObject, 'WP_Post' ) ) {- $labels = get_post_type_labels( get_post_type_object( $wpObject->post_type ) );+ $postTypeObject = get_post_type_object( $wpObject->post_type );+ $labels = $postTypeObject->labels; $data['editObjectUrl'] = get_edit_post_link( $wpObject, 'url' ); if (
Analyzing the provided code diff for security vulnerabilities: Vulnerability Existed: yes FALSE POSITIVE Null Pointer Dereference / Type Error - CWE-476 - app/Common/Standalone/SeoPreview.php Lines 161-162 Old Code: ```php $labels = get_post_type_labels( get_post_type_object( $wpObject->post_type ) ); ``` Fixed Code: ```php $postTypeObject = get_post_type_object( $wpObject->post_type ); $labels = $postTypeObject->labels; ``` Explanation: The original code calls `get_post_type_labels()` with the result of `get_post_type_object()` directly. According to WordPress documentation, `get_post_type_object()` can return `null` if an invalid post type is provided. The function `get_post_type_labels()` does not appear to exist in WordPress core (it's not a standard function), which would cause a fatal error. The fixed code stores the result of `get_post_type_object()` in a variable first and then accesses the `labels` property directly. However, this creates a new vulnerability: if `get_post_type_object()` returns `null`, accessing `$postTypeObject->labels` on line 162 will trigger a "Call to a member function on null" error (PHP Fatal Error). The fix does not include a null check before accessing the property, so while it may address an undefined function issue, it introduces or fails to prevent a null pointer dereference vulnerability (CWE-476). A secure fix would require checking if `$postTypeObject` is not null before accessing its properties.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Traits/Helpers/Wp.php 2026-01-16 00:19:53.291207740 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Traits/Helpers/Wp.php 2026-01-16 00:20:16.104640797 +0000@@ -973,7 +973,7 @@ return null; } - $postTypeLabels[ $postType ] = get_post_type_labels( $postTypeObject );+ $postTypeLabels[ $postType ] = $postTypeObject->labels; } return $postTypeLabels[ $postType ];
Vulnerability Existed: no No CWE Identified - N/A - app/Common/Traits/Helpers/Wp.php - Line 976 Old Code: ```php $postTypeLabels[ $postType ] = get_post_type_labels( $postTypeObject ); ``` Fixed Code: ```php $postTypeLabels[ $postType ] = $postTypeObject->labels; ``` Explanation: This change is not a security fix but rather a refactoring improvement. The old code calls `get_post_type_labels()` function (which appears to be a custom function), while the fixed code directly accesses the `labels` property of the `$postTypeObject`. This is a performance optimization and code simplification, not a security vulnerability fix. Direct property access to a WordPress post type object's labels property is safe and standard practice in WordPress development. There are no security implications either way - no injection risks, privilege escalation, data exposure, or other security concerns present in either version.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Traits/Helpers/WpContext.php 2026-01-16 00:19:53.291207740 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Traits/Helpers/WpContext.php 2026-01-16 00:20:16.104640797 +0000@@ -974,6 +974,44 @@ } /**+ * Sets the given term as the queried object of the main query.+ *+ * @since 4.9.3+ *+ * @param \WP_Term|int $wpTerm The term object or ID.+ * @param string $taxonomy The taxonomy name. Required if $wpTerm is an ID.+ * @return void+ */+ public function setWpQueryTerm( $wpTerm, $taxonomy = '' ) {+ $wpTerm = is_a( $wpTerm, 'WP_Term' ) ? $wpTerm : get_term( $wpTerm, $taxonomy );+ if ( ! is_a( $wpTerm, 'WP_Term' ) ) {+ return;+ }++ // phpcs:disable Squiz.NamingConventions.ValidVariableName+ global $wp_query;+ $this->originalQuery = $this->deepClone( $wp_query );++ $wp_query->queried_object = $wpTerm;+ $wp_query->queried_object_id = (int) $wpTerm->term_id;+ $wp_query->is_archive = true;++ // Set the appropriate taxonomy flag.+ switch ( $wpTerm->taxonomy ) {+ case 'category':+ $wp_query->is_category = true;+ break;+ case 'post_tag':+ $wp_query->is_tag = true;+ break;+ default:+ $wp_query->is_tax = true;+ break;+ }+ // phpcs:enable Squiz.NamingConventions.ValidVariableName+ }++ /** * Restores the main query back to the original query. * * @since 4.3.0
I'll analyze this code diff for security vulnerabilities.
**Vulnerability Existed: not sure**
**Improper Input Validation / Type Juggling - CWE-1025 - app/Common/Traits/Helpers/WpContext.php Lines 985-1012**
**Old Code:**
```
N/A (new code added)
```
**Fixed Code:**
```php
public function setWpQueryTerm( $wpTerm, $taxonomy = '' ) {
$wpTerm = is_a( $wpTerm, 'WP_Term' ) ? $wpTerm : get_term( $wpTerm, $taxonomy );
if ( ! is_a( $wpTerm, 'WP_Term' ) ) {
return;
}
// ... rest of function
}
```
**Explanation:**
The code attempts to validate that `$wpTerm` is a `WP_Term` object, but there is a potential security concern with the `get_term()` call on line 985. The function accepts `$wpTerm` as either a `WP_Term` object or an integer ID, and `$taxonomy` as a string. However:
1. **Insufficient validation**: While `is_a()` checks are present, the `get_term()` function could return `null` or `false` on failure, which would still pass the initial check since it's only validated after the assignment.
2. **Type coercion risk**: The code converts `$wpTerm->term_id` to `(int)` on line 997, but doesn't validate that `$wpTerm` properties exist or are of expected types after `get_term()` returns.
3. **Potential for unexpected behavior**: If `get_term()` fails or returns unexpected data, and the object still passes `is_a()` check, subsequent property access could lead to undefined behavior or information disclosure.
The validation logic does provide some protection by checking the result post-assignment, which mitigates the most critical risks. However, more defensive programming practices (explicit null checks before property access) would strengthen this code.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Utils/Helpers.php 2026-01-16 00:19:53.295207992 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Utils/Helpers.php 2026-01-16 00:20:16.108641048 +0000@@ -407,7 +407,7 @@ $cached[ $k ] = [ 'url' => $item['link'], 'title' => $item['title']['rendered'],- 'date' => date( get_option( 'date_format' ), strtotime( $item['date'] ) ),+ 'date' => date_i18n( get_option( 'date_format' ), strtotime( $item['date'] ) ), 'content' => wp_html_excerpt( $item['content']['rendered'], 128, '…' ), ];
Vulnerability Existed: yes FALSE POSITIVE [CWE-598 Use of GET Request with Sensitive Query Strings] - CWE-598 (related to improper locale handling) - app/Common/Utils/Helpers.php Line 410 Old Code: ```php 'date' => date( get_option( 'date_format' ), strtotime( $item['date'] ) ), ``` Fixed Code: ```php 'date' => date_i18n( get_option( 'date_format' ), strtotime( $item['date'] ) ), ``` Explanation: The vulnerability is not a traditional CWE but rather a **WordPress localization/internationalization issue**. The `date()` function is locale-agnostic and always uses the English locale, while `date_i18n()` respects WordPress's configured locale and language settings. This creates a security/functionality issue where: 1. **Information Disclosure Risk**: The date formatting doesn't respect user locale preferences, potentially exposing system locale information or creating inconsistent behavior across different WordPress installations. 2. **Improper Internationalization**: By using `date()` instead of `date_i18n()`, the code violates WordPress coding standards and can cause dates to display incorrectly for non-English sites, potentially leading to user confusion or exploitation of locale-dependent logic. 3. **Best Practice Violation**: WordPress explicitly requires `date_i18n()` for any user-facing date output to ensure proper internationalization and localization. The fix correctly applies `date_i18n()`, which ensures the date formatting respects the site's configured language and locale settings, fixing both the security concern and the functionality issue.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Common/Utils/Tags.php 2026-01-16 00:19:53.295207992 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Common/Utils/Tags.php 2026-01-16 00:20:16.108641048 +0000@@ -276,6 +276,11 @@ 'tax_name', 'taxonomy_title' ],+ 'schemaReviewAuthor' => [+ 'author_first_name',+ 'author_last_name',+ 'author_name'+ ], 'searchDescription' => [ 'current_date', 'current_day',
# Security Analysis: PatchLeaks Code Diff
Vulnerability Existed: **no**
**No Vulnerabilities Detected** - app/Common/Utils/Tags.php
**Old Code:**
```php
'tax_name',
'taxonomy_title'
],
'searchDescription' => [
```
**Fixed Code:**
```php
'tax_name',
'taxonomy_title'
],
'schemaReviewAuthor' => [
'author_first_name',
'author_last_name',
'author_name'
],
'searchDescription' => [
```
**Explanation:**
This diff adds a new configuration mapping for `schemaReviewAuthor` that associates it with author-related placeholder tags (`author_first_name`, `author_last_name`, `author_name`). This is a benign structural addition to a tag mapping configuration array with no security implications.
The change:
- Does not introduce any new code execution paths
- Does not modify input validation or sanitization logic
- Does not change how data is processed or output
- Is purely additive to configuration metadata
- Uses hardcoded string literals with no user input or dynamic values
No CWE vulnerabilities are present in this modification.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/app/Lite/Admin/Admin.php 2026-01-16 00:19:53.295207992 +0000+++ cache/all-in-one-seo-pack_4.9.3/app/Lite/Admin/Admin.php 2026-01-16 00:20:16.112641300 +0000@@ -104,7 +104,7 @@ foreach ( $mappedUrls as $queryArg => $redirectUrl ) { if ( isset( $_GET[ $queryArg ] ) ) { // phpcs:ignore HM.Security.NonceVerification.Recommended, WordPress.Security.NonceVerification.Recommended- wp_redirect( $redirectUrl );+ wp_redirect( $redirectUrl ); // phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect exit; } }
Vulnerability Existed: no Open Redirect - CWE-601 - app/Lite/Admin/Admin.php Lines 107-108 Old Code: ```php wp_redirect( $redirectUrl ); ``` Fixed Code: ```php wp_redirect( $redirectUrl ); // phpcs:ignore WordPress.Security.SafeRedirect.wp_redirect_wp_redirect ``` Explanation: The diff shows only a phpcs comment annotation being added to suppress a WordPress coding standard warning. The underlying code itself has not been changed - `wp_redirect()` is still being called with `$redirectUrl` without validation. However, the presence of the phpcs:ignore comment suggests the developers are aware of the potential open redirect vulnerability (CWE-601) that could occur if `$redirectUrl` is not properly validated. The suppression of the `WordPress.Security.SafeRedirect.wp_redirect_wp_redirect` rule indicates they are intentionally overriding the security check. Without seeing the validation logic that populates `$mappedUrls` and `$redirectUrl`, this appears to be a security concern being masked rather than fixed. A proper fix would validate that `$redirectUrl` is a safe redirect destination (e.g., same-domain redirect) rather than simply suppressing the warning.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/dist/Lite/manifest.php 2026-01-16 00:19:53.427216286 +0000+++ cache/all-in-one-seo-pack_4.9.3/dist/Lite/manifest.php 2026-01-16 00:20:16.240649338 +0000@@ -35,12 +35,12 @@ "_runtime-core.esm-bundler.ce5add0b.js" ] },- "_AddonConditions.c3862ae2.js": {- "file": "js/AddonConditions.c3862ae2.js",+ "_AddonConditions.a6214a89.js": {+ "file": "js/AddonConditions.a6214a89.js", "name": "AddonConditions", "imports": [- "_index.317ad629.js",- "_addons.a280be1f.js",+ "_index.4b887428.js",+ "_addons.9cee8bbb.js", "_Index.2a391835.js", "_Index.72794c8a.js", "_translations.e71e2202.js",@@ -61,18 +61,18 @@ "file": "css/Analyze.bed4d271.css", "src": "_Analyze.!~{04Z}~.js" },- "_Analyze.94b03cf4.js": {- "file": "js/Analyze.94b03cf4.js",+ "_Analyze.bd0d8b1d.js": {+ "file": "js/Analyze.bd0d8b1d.js", "name": "Analyze", "imports": [ "_runtime-dom.esm-bundler.dc49ee3e.js",- "_index.317ad629.js",+ "_index.4b887428.js", "_popup.92105c51.js",- "_SeoSiteScore.a1efd869.js",- "_utils.7cd46cbc.js",+ "_SeoSiteScore.67f514f9.js",+ "_utils.87f13de5.js", "_Blur.92695742.js", "_helpers.633a054c.js",- "_iphone-frame.2eb975ac.js",+ "_iphone-frame.af4f65aa.js", "_DonutChart.16da12c9.js", "_Index.a4d7633a.js", "_Book.f0bec69d.js",@@ -81,7 +81,7 @@ "__plugin-vue_export-helper.eefbdd86.js", "_runtime-core.esm-bundler.ce5add0b.js", "_default-i18n.65d58dd6.js",- "_ConnectStore.92e3ac21.js"+ "_ConnectStore.f1902987.js" ], "css": [ "css/Analyze.bed4d271.css"@@ -112,17 +112,17 @@ ] }, "_App.!~{05C}~.js": {- "file": "css/App.22327e51.css",+ "file": "css/App.befcf71d.css", "src": "_App.!~{05C}~.js" },- "_App.a4d67f59.js": {- "file": "js/App.a4d67f59.js",+ "_App.675dba82.js": {+ "file": "js/App.675dba82.js", "name": "App", "imports": [ "_runtime-dom.esm-bundler.dc49ee3e.js",- "_index.317ad629.js",- "_ScrollAndHighlight.f74ce42e.js",- "_LicenseKeyBar.48793272.js",+ "_index.4b887428.js",+ "_ScrollAndHighlight.f49826ae.js",+ "_LicenseKeyBar.40cfe2b2.js", "__plugin-vue_export-helper.eefbdd86.js", "_runtime-core.esm-bundler.ce5add0b.js", "_Button.9a301412.js",@@ -132,77 +132,77 @@ "_icon.5e141fec.js", "_default-i18n.65d58dd6.js", "_constants.bc5863fe.js",- "_Index.3a1576c6.js",+ "_Index.25ae8dfb.js", "_Index.2a391835.js", "_Pencil.d82df6a1.js", "_SettingsRow.35256805.js", "_Checkbox.6a913600.js", "_Row.bb9acf3f.js",- "_Url.c2dcf147.js",- "_CreditCounter.1447795e.js",+ "_Url.9f0afcb2.js",+ "_CreditCounter.a677ab15.js",+ "_Tooltip.23c7170d.js", "_helpers.633a054c.js", "_Close.ccd53ef3.js", "_CheckSolid.5be77a11.js", "_Textarea.1045f090.js",- "_Tooltip.23c7170d.js", "_Trash.87a7d946.js", "_AiContent.162ae902.js", "_Simple.ad972ba4.js", "_stripHTMLTags.7df752a7.js", "_Plus.c9b03af8.js", "_HighlightToggle.51ada893.js",- "_Tabs.a35aa612.js",+ "_Tabs.13bb57b9.js", "_debounce.652fa24c.js",- "_Cta.30a759f8.js",+ "_Cta.650fc586.js", "_Blur.92695742.js", "_MaxCounts.b4988c4d.js", "_Caret.cd869c5d.js", "_Ellipse.79856822.js", "_Eye.489b3324.js",- "_TruSeoScore.89e5cf67.js",+ "_TruSeoScore.b5fd3bf1.js", "_Statistics.48462985.js", "_RadioToggle.18655b2f.js",- "_GoogleSearchPreview.114c7833.js",- "_HtmlTagsEditor.c93abc5f.js",+ "_GoogleSearchPreview.ea4e7828.js",+ "_HtmlTagsEditor.a6c3be1f.js", "_Slide.3003ef51.js", "_ProBadge.e6ec5f9a.js", "_popup.92105c51.js",- "_ConnectStore.92e3ac21.js",+ "_ConnectStore.f1902987.js", "_datetime.f197aeae.js",- "_license.414793bf.js",+ "_license.388ee2cc.js", "_Mobile.d702625c.js",- "_Settings.79c0ab6f.js",+ "_Settings.c0d5dedf.js", "_Cta.d280012a.js",- "_GoogleSearchConsole.299a85c0.js",- "_ConnectCta.af1c2a2e.js",+ "_GoogleSearchConsole.6d009df7.js",+ "_ConnectCta.c8f3baaf.js", "_Index.72794c8a.js",- "_Graph.497958b7.js",- "_WpTable.9bcfde23.js",+ "_Graph.19914f74.js",+ "_WpTable.f051f458.js", "_numbers.cdba2587.js",- "_Table.b24bacad.js",- "_RequiredPlans.3bd01b59.js",- "_addons.a280be1f.js",+ "_Table.5d523def.js",+ "_RequiredPlans.515ee73d.js",+ "_addons.9cee8bbb.js", "_PostTypes.4e006733.js", "_External.5f8a6285.js", "_InternalOutbound.5b420e7d.js",- "_Image.18de3397.js",- "_Editor.8a5e9531.js",- "_FacebookPreview.b58a89ab.js",- "_ImageUploader.81dc4a47.js",- "_TwitterPreview.ab913faa.js",+ "_Image.33509a0b.js",+ "_Editor.179f32d8.js",+ "_FacebookPreview.3832e81a.js",+ "_ImageUploader.cbca7c75.js",+ "_TwitterPreview.bdf52362.js", "_Build.acb95bd2.js",- "_Index.2fb13293.js",- "_Redirects.98c32cdc.js",- "_Index.9292de28.js",+ "_Index.9e9d564d.js",+ "_Redirects.79d78435.js",+ "_Index.778efbec.js", "_Input.f04bee4d.js", "_Toggle.11571651.js",- "_Upsell.da9355ad.js"+ "_Upsell.7de15d63.js" ], "dynamicImports": [ "src/vue/standalone/ai-image-generator/extend-block-editor.js" ], "css": [- "css/App.22327e51.css",+ "css/App.befcf71d.css", "css/main.d89f69d1.css" ], "assets": [@@ -276,11 +276,11 @@ "file": "css/Card.35ac16b1.css", "src": "_Card.!~{03L}~.js" },- "_Card.b75a3969.js": {- "file": "js/Card.b75a3969.js",+ "_Card.597c7ae2.js": {+ "file": "js/Card.597c7ae2.js", "name": "Card", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_Tooltip.23c7170d.js", "_Caret.cd869c5d.js", "_Trash.87a7d946.js",@@ -347,17 +347,17 @@ "file": "css/CloseAndExit.dcfe5db0.css", "src": "_CloseAndExit.!~{03c}~.js" },- "_CloseAndExit.44cdfb74.js": {- "file": "js/CloseAndExit.44cdfb74.js",+ "_CloseAndExit.2ea40092.js": {+ "file": "js/CloseAndExit.2ea40092.js", "name": "CloseAndExit", "imports": [- "_index.317ad629.js",- "_Wizard.2d82a982.js",- "_Index.3a1576c6.js",+ "_index.4b887428.js",+ "_Wizard.9389f313.js",+ "_Index.25ae8dfb.js", "_Close.ccd53ef3.js", "_runtime-dom.esm-bundler.dc49ee3e.js", "__plugin-vue_export-helper.eefbdd86.js",- "_SetupWizardStore.d5fd9332.js",+ "_SetupWizardStore.f23d0bfe.js", "_runtime-core.esm-bundler.ce5add0b.js" ], "css": [@@ -368,12 +368,12 @@ "file": "js/CommonSitemap.d3bc15ea.js", "name": "CommonSitemap" },- "_ConnectCta.af1c2a2e.js": {- "file": "js/ConnectCta.af1c2a2e.js",+ "_ConnectCta.c8f3baaf.js": {+ "file": "js/ConnectCta.c8f3baaf.js", "name": "ConnectCta", "imports": [- "_index.317ad629.js",- "_GoogleSearchConsole.299a85c0.js",+ "_index.4b887428.js",+ "_GoogleSearchConsole.6d009df7.js", "_Index.72794c8a.js", "_translations.e71e2202.js", "_default-i18n.65d58dd6.js",@@ -388,23 +388,23 @@ "_runtime-core.esm-bundler.ce5add0b.js" ] },- "_ConnectStore.92e3ac21.js": {- "file": "js/ConnectStore.92e3ac21.js",+ "_ConnectStore.f1902987.js": {+ "file": "js/ConnectStore.f1902987.js", "name": "ConnectStore", "imports": [- "_index.317ad629.js",- "_SetupWizardStore.d5fd9332.js"+ "_index.4b887428.js",+ "_SetupWizardStore.f23d0bfe.js" ] }, "_CreditCounter.!~{04n}~.js": { "file": "css/CreditCounter.8f70269f.css", "src": "_CreditCounter.!~{04n}~.js" },- "_CreditCounter.1447795e.js": {- "file": "js/CreditCounter.1447795e.js",+ "_CreditCounter.a677ab15.js": {+ "file": "js/CreditCounter.a677ab15.js", "name": "CreditCounter", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_datetime.f197aeae.js", "_Button.9a301412.js", "_Tooltip.23c7170d.js",@@ -422,17 +422,25 @@ "file": "css/Cta.c3f648a6.css", "src": "_Cta.!~{04o}~.js" },- "_Cta.30a759f8.js": {- "file": "js/Cta.30a759f8.js",+ "_Cta.5c0d267b.js": {+ "file": "js/Cta.5c0d267b.js",+ "name": "Cta",+ "imports": [+ "__plugin-vue_export-helper.eefbdd86.js",+ "_runtime-core.esm-bundler.ce5add0b.js"+ ]+ },+ "_Cta.650fc586.js": {+ "file": "js/Cta.650fc586.js", "name": "Cta", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_helpers.633a054c.js", "_Button.9a301412.js", "_Index.2a391835.js", "_runtime-dom.esm-bundler.dc49ee3e.js", "_translations.e71e2202.js",- "_Index.3a1576c6.js",+ "_Index.25ae8dfb.js", "_Close.ccd53ef3.js", "_default-i18n.65d58dd6.js", "_runtime-core.esm-bundler.ce5add0b.js",@@ -448,14 +456,6 @@ "images/ai-content.893361cb.png" ] },- "_Cta.5c0d267b.js": {- "file": "js/Cta.5c0d267b.js",- "name": "Cta",- "imports": [- "__plugin-vue_export-helper.eefbdd86.js",- "_runtime-core.esm-bundler.ce5add0b.js"- ]- }, "_Cta.d280012a.js": { "file": "js/Cta.d280012a.js", "name": "Cta",@@ -467,11 +467,11 @@ "file": "css/DatePicker.f182bdc7.css", "src": "_DatePicker.!~{046}~.js" },- "_DatePicker.31ecbe38.js": {- "file": "js/DatePicker.31ecbe38.js",+ "_DatePicker.36e9e18f.js": {+ "file": "js/DatePicker.36e9e18f.js", "name": "DatePicker", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_Calendar.9a717949.js", "_Pencil.d82df6a1.js", "_translations.e71e2202.js",@@ -534,15 +534,15 @@ "file": "css/Editor.f339f527.css", "src": "_Editor.!~{02$}~.js" },- "_Editor.8a5e9531.js": {- "file": "js/Editor.8a5e9531.js",+ "_Editor.179f32d8.js": {+ "file": "js/Editor.179f32d8.js", "name": "Editor", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_translations.e71e2202.js", "_default-i18n.65d58dd6.js", "_isEqual.59768dc1.js",- "__baseClone.cfa156ff.js",+ "__baseClone.e7cb118a.js", "_Input.f04bee4d.js", "_Caret.cd869c5d.js", "__plugin-vue_export-helper.eefbdd86.js",@@ -590,14 +590,14 @@ "file": "css/ExcludePosts.de879b72.css", "src": "_ExcludePosts.!~{040}~.js" },- "_ExcludePosts.d14452d5.js": {- "file": "js/ExcludePosts.d14452d5.js",+ "_ExcludePosts.d38ebe01.js": {+ "file": "js/ExcludePosts.d38ebe01.js", "name": "ExcludePosts", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_JsonValues.a0694556.js", "_Button.9a301412.js",- "_Select.69906a74.js",+ "_Select.f950b4c6.js", "_AddPlus.39af5a0f.js", "_Close.ccd53ef3.js", "_External.641efa63.js",@@ -647,12 +647,12 @@ "file": "css/FacebookPreview.a19706d8.css", "src": "_FacebookPreview.!~{04A}~.js" },- "_FacebookPreview.b58a89ab.js": {- "file": "js/FacebookPreview.b58a89ab.js",+ "_FacebookPreview.3832e81a.js": {+ "file": "js/FacebookPreview.3832e81a.js", "name": "FacebookPreview", "imports": [- "_index.317ad629.js",- "_Img.4d5c45cc.js",+ "_index.4b887428.js",+ "_Img.85371eb9.js", "_Button.9a301412.js", "_Profile.1de11420.js", "__plugin-vue_export-helper.eefbdd86.js",@@ -674,11 +674,11 @@ "file": "css/GettingStarted.2a059fab.css", "src": "_GettingStarted.!~{04p}~.js" },- "_GettingStarted.70014c7b.js": {- "file": "js/GettingStarted.70014c7b.js",+ "_GettingStarted.af7cd261.js": {+ "file": "js/GettingStarted.af7cd261.js", "name": "GettingStarted", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_Row.bb9acf3f.js", "_Book.f0bec69d.js", "_Close.ccd53ef3.js",@@ -701,11 +701,11 @@ "_runtime-core.esm-bundler.ce5add0b.js" ] },- "_GoogleSearchConsole.299a85c0.js": {- "file": "js/GoogleSearchConsole.299a85c0.js",+ "_GoogleSearchConsole.6d009df7.js": {+ "file": "js/GoogleSearchConsole.6d009df7.js", "name": "GoogleSearchConsole", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_translations.e71e2202.js", "_runtime-core.esm-bundler.ce5add0b.js", "_default-i18n.65d58dd6.js"@@ -715,14 +715,14 @@ "file": "css/GoogleSearchPreview.49ea6dbd.css", "src": "_GoogleSearchPreview.!~{03j}~.js" },- "_GoogleSearchPreview.114c7833.js": {- "file": "js/GoogleSearchPreview.114c7833.js",+ "_GoogleSearchPreview.ea4e7828.js": {+ "file": "js/GoogleSearchPreview.ea4e7828.js", "name": "GoogleSearchPreview", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_constants.bc5863fe.js", "_Caret.cd869c5d.js",- "_Url.c2dcf147.js",+ "_Url.9f0afcb2.js", "_translations.e71e2202.js", "_runtime-dom.esm-bundler.dc49ee3e.js", "__plugin-vue_export-helper.eefbdd86.js",@@ -737,11 +737,11 @@ "file": "css/Graph.967dc7cd.css", "src": "_Graph.!~{051}~.js" },- "_Graph.497958b7.js": {- "file": "js/Graph.497958b7.js",+ "_Graph.19914f74.js": {+ "file": "js/Graph.19914f74.js", "name": "Graph", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_numbers.cdba2587.js", "_helpers.633a054c.js", "_vue3-apexcharts.d821ad9d.js",@@ -767,16 +767,16 @@ "file": "css/Header.d3d0905f.css", "src": "_Header.!~{03b}~.js" },- "_Header.ae0d0374.js": {- "file": "js/Header.ae0d0374.js",+ "_Header.ab7dd0a5.js": {+ "file": "js/Header.ab7dd0a5.js", "name": "Header", "imports": [ "_runtime-dom.esm-bundler.dc49ee3e.js", "_vue-router.41e9d860.js",- "_index.317ad629.js",- "_addons.a280be1f.js",- "_ScrollAndHighlight.f74ce42e.js",- "_LicenseKeyBar.48793272.js",+ "_index.4b887428.js",+ "_addons.9cee8bbb.js",+ "_ScrollAndHighlight.f49826ae.js",+ "_LicenseKeyBar.40cfe2b2.js", "_AnimatedNumber.97e7e241.js", "__plugin-vue_export-helper.eefbdd86.js", "_runtime-core.esm-bundler.ce5add0b.js",@@ -791,15 +791,15 @@ "css/Header.1b594f68.css" ] },- "_Header.f7aecc8c.js": {- "file": "js/Header.f7aecc8c.js",+ "_Header.b394e22f.js": {+ "file": "js/Header.b394e22f.js", "name": "Header", "imports": [ "__plugin-vue_export-helper.eefbdd86.js", "_runtime-core.esm-bundler.ce5add0b.js",- "_index.317ad629.js",+ "_index.4b887428.js", "_Logo.3715aad2.js",- "_SetupWizardStore.d5fd9332.js"+ "_SetupWizardStore.f23d0bfe.js" ], "css": [ "css/Header.d3d0905f.css"@@ -834,15 +834,15 @@ "file": "css/HtmlTagsEditor.62a1ac53.css", "src": "_HtmlTagsEditor.!~{02_}~.js" },- "_HtmlTagsEditor.c93abc5f.js": {- "file": "js/HtmlTagsEditor.c93abc5f.js",+ "_HtmlTagsEditor.a6c3be1f.js": {+ "file": "js/HtmlTagsEditor.a6c3be1f.js", "name": "HtmlTagsEditor", "imports": [- "_index.317ad629.js",- "_Editor.8a5e9531.js",+ "_index.4b887428.js",+ "_Editor.179f32d8.js", "__plugin-vue_export-helper.eefbdd86.js", "_runtime-core.esm-bundler.ce5add0b.js",- "_UnfilteredHtml.f93ca71d.js",+ "_UnfilteredHtml.ac78585e.js", "_Pencil.d82df6a1.js", "_runtime-dom.esm-bundler.dc49ee3e.js", "_translations.e71e2202.js",@@ -852,11 +852,11 @@ "css/HtmlTagsEditor.62a1ac53.css" ] },- "_Image.18de3397.js": {- "file": "js/Image.18de3397.js",+ "_Image.33509a0b.js": {+ "file": "js/Image.33509a0b.js", "name": "Image", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_translations.e71e2202.js", "_runtime-core.esm-bundler.ce5add0b.js", "_default-i18n.65d58dd6.js"@@ -874,16 +874,16 @@ "file": "css/ImageUploader.93e8cb36.css", "src": "_ImageUploader.!~{034}~.js" },- "_ImageUploader.81dc4a47.js": {- "file": "js/ImageUploader.81dc4a47.js",+ "_ImageUploader.cbca7c75.js": {+ "file": "js/ImageUploader.cbca7c75.js", "name": "ImageUploader", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_translations.e71e2202.js", "_default-i18n.65d58dd6.js", "_runtime-core.esm-bundler.ce5add0b.js", "_Button.9a301412.js",- "_Img.4d5c45cc.js",+ "_Img.85371eb9.js", "_Input.f04bee4d.js", "_Plus.c9b03af8.js", "_Trash.87a7d946.js",@@ -894,11 +894,11 @@ "css/ImageUploader.93e8cb36.css" ] },- "_Img.4d5c45cc.js": {- "file": "js/Img.4d5c45cc.js",+ "_Img.85371eb9.js": {+ "file": "js/Img.85371eb9.js", "name": "Img", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "__plugin-vue_export-helper.eefbdd86.js", "_runtime-core.esm-bundler.ce5add0b.js" ]@@ -935,53 +935,11 @@ "file": "css/Index.17849410.css", "src": "_Index.!~{05h}~.js" },- "_Index.2a391835.js": {- "file": "js/Index.2a391835.js",- "name": "Index",- "imports": [- "_Close.ccd53ef3.js",- "__plugin-vue_export-helper.eefbdd86.js",- "_runtime-core.esm-bundler.ce5add0b.js"- ],- "css": [- "css/Index.74bb20a6.css"- ]- },- "_Index.2fb13293.js": {- "file": "js/Index.2fb13293.js",- "name": "Index",- "imports": [- "_constants.bc5863fe.js",- "_index.317ad629.js",- "_JsonValues.a0694556.js",- "_Index.9292de28.js",- "_Url.c2dcf147.js",- "_Button.9a301412.js",- "_Select.69906a74.js",- "_Index.2a391835.js",- "_date.f7db1924.js",- "_datetime.f197aeae.js",- "_DatePicker.31ecbe38.js",- "_Input.f04bee4d.js",- "_Tooltip.23c7170d.js",- "_Trash.87a7d946.js",- "_Plus.c9b03af8.js",- "_translations.e71e2202.js",- "__plugin-vue_export-helper.eefbdd86.js",- "_default-i18n.65d58dd6.js",- "_runtime-core.esm-bundler.ce5add0b.js",- "_Slide.3003ef51.js",- "_runtime-dom.esm-bundler.dc49ee3e.js"- ],- "css": [- "css/Index.1f46ce05.css"- ]- },- "_Index.3a1576c6.js": {- "file": "js/Index.3a1576c6.js",+ "_Index.25ae8dfb.js": {+ "file": "js/Index.25ae8dfb.js", "name": "Index", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_Close.ccd53ef3.js", "_runtime-dom.esm-bundler.dc49ee3e.js", "__plugin-vue_export-helper.eefbdd86.js",@@ -991,41 +949,16 @@ "css/Index.98ff9b0b.css" ] },- "_Index.3c8fd730.js": {- "file": "js/Index.3c8fd730.js",+ "_Index.2a391835.js": {+ "file": "js/Index.2a391835.js", "name": "Index", "imports": [- "_vue-router.41e9d860.js",- "_index.317ad629.js",- "_license.414793bf.js",- "_params.af7ed354.js",- "_Tabs.a35aa612.js",- "_Index.2a391835.js",- "_Header.ae0d0374.js",- "_LicenseKeyBar.48793272.js",- "_Logo.3715aad2.js", "_Close.ccd53ef3.js", "__plugin-vue_export-helper.eefbdd86.js",- "_runtime-core.esm-bundler.ce5add0b.js",- "_Support.1c4a9051.js",- "_translations.e71e2202.js",- "_runtime-dom.esm-bundler.dc49ee3e.js",- "_default-i18n.65d58dd6.js",- "_helpers.633a054c.js",- "_date.f7db1924.js",- "_Url.c2dcf147.js",- "_Button.9a301412.js",- "_Pencil.d82df6a1.js",- "_Exclamation.fc507dc9.js",- "_Gear.0f79dbf5.js",- "_Slide.3003ef51.js"+ "_runtime-core.esm-bundler.ce5add0b.js" ], "css": [- "css/Index.d749a0ad.css",- "css/main.d89f69d1.css"- ],- "assets": [- "images/dannie-detective.b4823250.png"+ "css/Index.74bb20a6.css" ] }, "_Index.72794c8a.js": {@@ -1046,12 +979,12 @@ "css/Index.1cf864a9.css" ] },- "_Index.9292de28.js": {- "file": "js/Index.9292de28.js",+ "_Index.778efbec.js": {+ "file": "js/Index.778efbec.js", "name": "Index", "imports": [- "_index.317ad629.js",- "_Url.c2dcf147.js",+ "_index.4b887428.js",+ "_Url.9f0afcb2.js", "_Input.f04bee4d.js", "_Button.9a301412.js", "_Pencil.d82df6a1.js",@@ -1074,6 +1007,36 @@ "css/Index.17849410.css" ] },+ "_Index.9e9d564d.js": {+ "file": "js/Index.9e9d564d.js",+ "name": "Index",+ "imports": [+ "_constants.bc5863fe.js",+ "_index.4b887428.js",+ "_JsonValues.a0694556.js",+ "_Index.778efbec.js",+ "_Url.9f0afcb2.js",+ "_Button.9a301412.js",+ "_Select.f950b4c6.js",+ "_Index.2a391835.js",+ "_date.f7db1924.js",+ "_datetime.f197aeae.js",+ "_DatePicker.36e9e18f.js",+ "_Input.f04bee4d.js",+ "_Tooltip.23c7170d.js",+ "_Trash.87a7d946.js",+ "_Plus.c9b03af8.js",+ "_translations.e71e2202.js",+ "__plugin-vue_export-helper.eefbdd86.js",+ "_default-i18n.65d58dd6.js",+ "_runtime-core.esm-bundler.ce5add0b.js",+ "_Slide.3003ef51.js",+ "_runtime-dom.esm-bundler.dc49ee3e.js"+ ],+ "css": [+ "css/Index.1f46ce05.css"+ ]+ }, "_Index.a4d7633a.js": { "file": "js/Index.a4d7633a.js", "name": "Index",@@ -1108,6 +1071,43 @@ "css/Index.a5c3a0c3.css" ] },+ "_Index.d5e64911.js": {+ "file": "js/Index.d5e64911.js",+ "name": "Index",+ "imports": [+ "_vue-router.41e9d860.js",+ "_index.4b887428.js",+ "_license.388ee2cc.js",+ "_params.af7ed354.js",+ "_Tabs.13bb57b9.js",+ "_Index.2a391835.js",+ "_Header.ab7dd0a5.js",+ "_LicenseKeyBar.40cfe2b2.js",+ "_Logo.3715aad2.js",+ "_Close.ccd53ef3.js",+ "__plugin-vue_export-helper.eefbdd86.js",+ "_runtime-core.esm-bundler.ce5add0b.js",+ "_Support.1c4a9051.js",+ "_translations.e71e2202.js",+ "_runtime-dom.esm-bundler.dc49ee3e.js",+ "_default-i18n.65d58dd6.js",+ "_helpers.633a054c.js",+ "_date.f7db1924.js",+ "_Url.9f0afcb2.js",+ "_Button.9a301412.js",+ "_Pencil.d82df6a1.js",+ "_Exclamation.fc507dc9.js",+ "_Gear.0f79dbf5.js",+ "_Slide.3003ef51.js"+ ],+ "css": [+ "css/Index.d749a0ad.css",+ "css/main.d89f69d1.css"+ ],+ "assets": [+ "images/dannie-detective.b4823250.png"+ ]+ }, "_IndexStatus.!~{04P}~.js": { "file": "css/IndexStatus.c33412c0.css", "src": "_IndexStatus.!~{04P}~.js"@@ -1191,19 +1191,19 @@ "file": "css/KeywordsGraph.2b3f4acc.css", "src": "_KeywordsGraph.!~{05L}~.js" },- "_KeywordsGraph.6b03c7c8.js": {- "file": "js/KeywordsGraph.6b03c7c8.js",+ "_KeywordsGraph.3a6612a1.js": {+ "file": "js/KeywordsGraph.3a6612a1.js", "name": "KeywordsGraph", "imports": [- "_index.317ad629.js",- "_Graph.497958b7.js",+ "_index.4b887428.js",+ "_Graph.19914f74.js", "_translations.e71e2202.js", "__plugin-vue_export-helper.eefbdd86.js", "_default-i18n.65d58dd6.js", "_runtime-core.esm-bundler.ce5add0b.js", "_Blur.92695742.js", "_Index.72794c8a.js",- "_License.579c3b37.js"+ "_License.3e238906.js" ], "css": [ "css/KeywordsGraph.2b3f4acc.css"@@ -1217,12 +1217,12 @@ "_runtime-core.esm-bundler.ce5add0b.js" ] },- "_License.579c3b37.js": {- "file": "js/License.579c3b37.js",+ "_License.3e238906.js": {+ "file": "js/License.3e238906.js", "name": "License", "imports": [- "_index.317ad629.js",- "_license.414793bf.js",+ "_index.4b887428.js",+ "_license.388ee2cc.js", "_translations.e71e2202.js", "_runtime-core.esm-bundler.ce5add0b.js", "_default-i18n.65d58dd6.js"@@ -1232,11 +1232,11 @@ "file": "css/LicenseKeyBar.74afda48.css", "src": "_LicenseKeyBar.!~{03B}~.js" },- "_LicenseKeyBar.48793272.js": {- "file": "js/LicenseKeyBar.48793272.js",+ "_LicenseKeyBar.40cfe2b2.js": {+ "file": "js/LicenseKeyBar.40cfe2b2.js", "name": "LicenseKeyBar", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_LogoGear.32164283.js", "_translations.e71e2202.js", "__plugin-vue_export-helper.eefbdd86.js",@@ -1310,25 +1310,25 @@ "_runtime-core.esm-bundler.ce5add0b.js" ] },- "_MetaTags.a62a4cf9.js": {- "file": "js/MetaTags.a62a4cf9.js",+ "_MetaTags.b158714b.js": {+ "file": "js/MetaTags.b158714b.js", "name": "MetaTags", "imports": [- "_index.317ad629.js"+ "_index.4b887428.js" ] }, "_MiIntro.!~{03R}~.js": { "file": "css/MiIntro.7ca85fe8.css", "src": "_MiIntro.!~{03R}~.js" },- "_MiIntro.797b019b.js": {- "file": "js/MiIntro.797b019b.js",+ "_MiIntro.27e64eda.js": {+ "file": "js/MiIntro.27e64eda.js", "name": "MiIntro", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_helpers.633a054c.js", "_translations.e71e2202.js",- "_Card.b75a3969.js",+ "_Card.597c7ae2.js", "_LogoGear.32164283.js", "_Pencil.d82df6a1.js", "_em.7625294c.js",@@ -1356,13 +1356,13 @@ "file": "css/Modal.f7160347.css", "src": "_Modal.!~{05E}~.js" },- "_Modal.310262c4.js": {- "file": "js/Modal.310262c4.js",+ "_Modal.27ad2a73.js": {+ "file": "js/Modal.27ad2a73.js", "name": "Modal", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_ScoreButton.a94ce559.js",- "_App.a4d67f59.js",+ "_App.675dba82.js", "_Close.ccd53ef3.js", "__plugin-vue_export-helper.eefbdd86.js", "_runtime-core.esm-bundler.ce5add0b.js",@@ -1374,11 +1374,11 @@ "css/Modal.f7160347.css" ] },- "_Network.f6b999d3.js": {- "file": "js/Network.f6b999d3.js",+ "_Network.338b9e3b.js": {+ "file": "js/Network.338b9e3b.js", "name": "Network", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_runtime-core.esm-bundler.ce5add0b.js" ] },@@ -1386,11 +1386,11 @@ "file": "css/Overview.1e1525d0.css", "src": "_Overview.!~{05F}~.js" },- "_Overview.601b3291.js": {- "file": "js/Overview.601b3291.js",+ "_Overview.c0801b97.js": {+ "file": "js/Overview.c0801b97.js", "name": "Overview", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_Index.2a391835.js", "_DonutChartWithLegend.f0fcceca.js", "__plugin-vue_export-helper.eefbdd86.js",@@ -1403,16 +1403,16 @@ "css/Overview.1e1525d0.css" ] },- "_PageBuilderIntegration.124634ec.js": {- "file": "js/PageBuilderIntegration.124634ec.js",+ "_PageBuilderIntegration.5bb34b91.js": {+ "file": "js/PageBuilderIntegration.5bb34b91.js", "name": "PageBuilderIntegration", "imports": [ "_runtime-dom.esm-bundler.dc49ee3e.js", "_vue-router.41e9d860.js",- "_index.317ad629.js",+ "_index.4b887428.js", "_index.20093c86.js",- "_index.3030e086.js",- "_helpers.9595460e.js",+ "_index.f5fa0cce.js",+ "_helpers.1a09a04b.js", "_runtime-core.esm-bundler.ce5add0b.js" ] },@@ -1468,11 +1468,11 @@ "file": "css/PostTypeOptions.f99b2138.css", "src": "_PostTypeOptions.!~{03k}~.js" },- "_PostTypeOptions.5b828546.js": {- "file": "js/PostTypeOptions.5b828546.js",+ "_PostTypeOptions.dbaabd8e.js": {+ "file": "js/PostTypeOptions.dbaabd8e.js", "name": "PostTypeOptions", "imports": [- "_index.317ad629.js",+ "_index.4b887428.js", "_PostTypes.4e006733.js", "_HighlightToggle.51ada893.js", "_Index.2a391835.js",@@ -1499,19 +1499,19 @@ "file": "css/PostsTable.8e2d5d50.css", "src": "_PostsTable.!~{05S}~.js" },- "_PostsTable.9299dc1b.js": {- "file": "js/PostsTable.9299dc1b.js",+ "_PostsTable.6e10d475.js": {+ "file": "js/PostsTable.6e10d475.js", "name": "PostsTable", "imports": [ "_runtime-dom.esm-bundler.dc49ee3e.js",- "_index.317ad629.js",+ "_index.4b887428.js", "_PostTypes.4e006733.js",- "_Statistic.92d73d13.js",- "_WpTable.9bcfde23.js",- "_license.414793bf.js",+ "_Statistic.2ff4c4cd.js",+ "_WpTable.f051f458.js",+ "_license.388ee2cc.js", "_numbers.cdba2587.js", "_ScoreButton.a94ce559.js",- "_Table.b24bacad.js",+ "_Table.5d523def.js", "_Index.72794c8a.js", "_datetime.f197aeae.js", "_vue3-apexcharts.d821ad9d.js",@@ -1590,19 +1590,19 @@ "file": "css/Redirects.8e63a6d2.css", "src": "_Redirects.!~{05z}~.js" },- "_Redirects.98c32cdc.js": {- "file": "js/Redirects.98c32cdc.js",+ "_Redirects.79d78435.js": {+ "file": "js/Redirects.79d78435.js", "name": "Redirects", "imports": [- "_index.317ad629.js",- "_license.414793bf.js",+ "_index.4b887428.js",+ "_license.388ee2cc.js", "_constants.bc5863fe.js", "_Blur.92695742.js",- "_Card.b75a3969.js",- "_Table.b24bacad.js",+ "_Card.597c7ae2.js",+ "_Table.5d523def.js", "_Index.72794c8a.js", "_Button.9a301412.js",- "_Index.9292de28.js",+ "_Index.778efbec.js", "_translations.e71e2202.js", "__plugin-vue_export-helper.eefbdd86.js", "_default-i18n.65d58dd6.js",@@ -1624,13 +1624,13 @@ "file": "css/RequiredPlans.9646f410.css", "src": "_RequiredPlans.!~{03K}~.js" },
I'll analyze this code diff for security vulnerabilities following the specified format. Vulnerability Existed: no Explanation: This diff represents a manifest file for a Vue.js application that contains only hash updates for compiled JavaScript and CSS files. The changes are: 1. **Hash Updates**: File hashes have been updated (e.g., `c3862ae2` → `a6214a89`, `94b03cf4` → `bd0d8b1d`), which is normal for build processes when source code changes. 2. **Dependency Reference Updates**: Import statements reference files by their updated hashes, which is expected and necessary when bundles are rebuilt. 3. **File Reordering**: Some entries have been reordered in the manifest (e.g., `_Cta.5c0d267b.js` moved from line 456 to line 425), which is a structural change with no security implications. 4. **Entry Removal/Addition**: New index entries were added (`_Index.9e9d564d.js`, `_Index.d5e64911.js`) and old ones removed, reflecting changes in the component structure. **Security Assessment:** - No code injection vulnerabilities - No authentication/authorization changes - No exposed sensitive data - No unsafe function calls - No dependency on vulnerable packages (manifest only contains hashes) - No configuration changes that would weaken security The diff is a benign build artifact update with no security implications. These types of changes occur regularly during application rebuilds and version updates.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/languages/aioseo-lite.php 2026-01-16 00:19:53.431216539 +0000+++ cache/all-in-one-seo-pack_4.9.3/languages/aioseo-lite.php 2026-01-16 00:20:16.240649338 +0000@@ -29,9 +29,6 @@ // Reference: /src/vue/pages/link-assistant/views/partials/overview/MostLinkedDomains.vue:97 __( '# of Links', 'all-in-one-seo-pack' ), - // Reference: /src/vue/pages/ai-insights/views/partials/ReportResults.vue:69- __( '#%1$s', 'all-in-one-seo-pack' ),- // Reference: /src/vue/classes/SeoAnalysis/PerformanceIssues.js:10 // Translators: 1: The amount of requests. _n( '%1$d asset is loaded on the page.', '%1$d assets are loaded on the page.', 0, 'all-in-one-seo-pack' ),@@ -114,10 +111,12 @@ // Translators: 1 - Date, 2 - Timestamp. __( '%1$s at %2$s', 'all-in-one-seo-pack' ), - // Reference: /src/vue/pages/ai-insights/views/partials/Brands.vue:183+ // Reference: /src/vue/pages/ai-insights/views/partials/Brands.vue:184+ // Translators: 1 - Number of brands mentioned. _n( '%1$s brand mentioned', '%1$s brands mentioned', 0, 'all-in-one-seo-pack' ), - // Reference: /src/vue/pages/ai-insights/views/partials/ReportResults.vue:65+ // Reference: /src/vue/pages/ai-insights/views/partials/ReportResults.vue:69+ // Translators: 1 - Number of brands. __( '%1$s brands', 'all-in-one-seo-pack' ), // Reference: /src/vue/standalone/blocks/table-of-contents/vue/partials/Header.vue:74@@ -334,7 +333,8 @@ // Translators: 1 - A plugin name (e.g. "MonsterInsights", "Broken Link Checker", etc.). __( '%1$s shows you exactly which content gets the most visits, so you can analyze and optimize it for higher conversions.', 'all-in-one-seo-pack' ), - // Reference: /src/vue/pages/ai-insights/views/partials/ReportResults.vue:63+ // Reference: /src/vue/pages/ai-insights/views/partials/ReportResults.vue:64+ // Translators: 1 - Number of sources. __( '%1$s sources', 'all-in-one-seo-pack' ), // Reference: /src/vue/standalone/blocks/table-of-contents/vue/Reorder.vue:21@@ -352,7 +352,8 @@ // Translators: 1 - The name of the plugin being imported (e.g "Yoast SEO"). __( '%1$s was successfully imported!', 'all-in-one-seo-pack' ), - // Reference: /src/vue/pages/ai-insights/views/partials/ReportResults.vue:67+ // Reference: /src/vue/pages/ai-insights/views/partials/ReportResults.vue:74+ // Translators: 1 - Number of web search sources. __( '%1$s Web Search Sources', 'all-in-one-seo-pack' ), // Reference: /src/vue/pages/search-appearance/views/partials/crawl-cleanup/SearchCleanup.vue:50@@ -820,7 +821,7 @@ // Reference: /src/vue/pages/link-assistant/views/partials/overview/LinkRatio.vue:47 __( 'Affiliate Links', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:12+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:13 __( 'AI Assistant', 'all-in-one-seo-pack' ), // Reference: /src/vue/pages/settings/router/paths.js:50@@ -1188,9 +1189,8 @@ // Reference: /src/vue/pages/redirects/views/lite/redirects/Table.vue:78 __( 'Are you sure you want to delete this redirect?', 'all-in-one-seo-pack' ), - // Reference: /src/vue/pages/ai-insights/views/partials/ReportsTable.vue:204- // Translators: 1 - Number of reports.- _n( 'Are you sure you want to delete this report?', 'Are you sure you want to delete %d reports?', 0, 'all-in-one-seo-pack' ),+ // Reference: /src/vue/pages/ai-insights/views/partials/ReportsTable.vue:202+ _n( 'Are you sure you want to delete this report?', 'Are you sure you want to delete these reports?', 0, 'all-in-one-seo-pack' ), // Reference: /src/vue/components/common/ai/DisconnectModal.vue:23 __( 'Are you sure you want to disconnect from AI Content?', 'all-in-one-seo-pack' ),@@ -1250,7 +1250,7 @@ // Reference: /src/vue/standalone/blocks/html-sitemap/vue/SidebarOptions.vue:13 __( 'Ascending', 'all-in-one-seo-pack' ), - // Reference: /src/vue/composables/AiContent.js:69+ // Reference: /src/vue/composables/AiContent.js:82 __( 'Aspect Ratio', 'all-in-one-seo-pack' ), // Reference: /src/vue/classes/SeoAnalysis/PerformanceIssues.js:18@@ -1296,7 +1296,7 @@ // Reference: /src/vue/pages/search-appearance/views/partials/crawl-cleanup/RssFeeds.vue:69 __( 'Attachments Feed', 'all-in-one-seo-pack' ), - // Reference: /src/vue/composables/AiContent.js:65+ // Reference: /src/vue/composables/AiContent.js:78 // Reference: /src/vue/pages/settings/views/partials/AiContent/Main.vue:44 // Reference: /src/vue/standalone/blocks/ai-assistant/components/AudienceSelector.jsx:5 __( 'Audience', 'all-in-one-seo-pack' ),@@ -1485,6 +1485,9 @@ // Reference: /src/vue/pages/search-appearance/views/partials/crawl-cleanup/PreventCrawling.vue:27 __( 'Block Crawling of Internal Site Search URLs', 'all-in-one-seo-pack' ), + // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/FeatureCard.vue:65+ __( 'Block hidden in %1$s.', 'all-in-one-seo-pack' ),+ // Reference: /src/vue/pages/search-appearance/views/partials/crawl-cleanup/SearchCleanup.vue:39 __( 'Block internal site searches which contain complex and non-alphanumeric characters.', 'all-in-one-seo-pack' ), @@ -2256,7 +2259,7 @@ __( 'Creative & Artistic', 'all-in-one-seo-pack' ), // Reference: /src/vue/components/common/ai/CreditCounter.vue:47- // Reference: /src/vue/composables/AiContent.js:59+ // Reference: /src/vue/composables/AiContent.js:72 __( 'Credits', 'all-in-one-seo-pack' ), // Reference: /src/vue/classes/SiteAnalysis.js:341@@ -3202,7 +3205,7 @@ // Reference: /src/vue/classes/SiteAnalysis.js:188 __( 'External:', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:86+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:87 __( 'Extract and summarize the key points from your content to provide quick insights and improve readability.', 'all-in-one-seo-pack' ), // Reference: /src/vue/pages/social-networks/router/paths.js:39@@ -3257,7 +3260,7 @@ // Reference: /src/vue/standalone/blocks/faq/lite/Sidebar.jsx:50 __( 'FAQ schema is a Pro feature.', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:75+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:76 __( 'FAQs', 'all-in-one-seo-pack' ), // Reference: /src/vue/pages/redirects/views/partials/UpsellRedirects.vue:47@@ -3554,7 +3557,7 @@ // Reference: /src/vue/standalone/blocks/ai-assistant/vue/Block.vue:60 __( 'Generate', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:96+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:97 __( 'Generate a compelling SEO title for your post to improve click-through rates and search engine visibility.', 'all-in-one-seo-pack' ), // Reference: /src/vue/pages/sitemaps/views/LlmsSitemap.vue:74@@ -3569,7 +3572,7 @@ // Reference: /src/vue/standalone/writing-assistant/views/partials/keyword/New.vue:38 __( 'Generate a Report', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:55+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:56 __( 'Generate AI-powered images from text prompts to visually enhance your content and capture attention.', 'all-in-one-seo-pack' ), // Reference: /src/vue/pages/sitemaps/views/LlmsSitemap.vue:70@@ -3578,41 +3581,41 @@ // Reference: /src/vue/composables/Wizard.js:93 __( 'Generate an XML Sitemap specifically for videos on your site to help search engines find them.', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:14+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:15 __( 'Generate Content', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:77+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:78 __( 'Generate FAQs', 'all-in-one-seo-pack' ), // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/FaqsModal.vue:132 // Translators: 1 - Number of credits. __( 'Generate FAQs (%1$d credits)', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:76+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:77 __( 'Generate helpful FAQs based on your content to enhance user engagement and boost SEO.', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:56+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:57 __( 'Generate Image', 'all-in-one-seo-pack' ), // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/ImageGeneratorModal.vue:57 // Translators: 1 - Number of credits. __( 'Generate Image (%1$s credits)', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:87+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:88 __( 'Generate Key Points', 'all-in-one-seo-pack' ), // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/KeyPointsModal.vue:151 // Translators: 1 - Number of credits. __( 'Generate Key Points (%1$d credits)', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:107+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:108 __( 'Generate Meta Descriptions', 'all-in-one-seo-pack' ), // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/MetaDescriptionModal.vue:47 // Translators: 1 - Number of credits. __( 'Generate Meta Descriptions (%1$d credits)', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:66+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:67 __( 'Generate posts you can easily share on social media so you can reach a broader audience.', 'all-in-one-seo-pack' ), // Reference: /src/vue/standalone/writing-assistant/views/partials/keyword/New.vue:39@@ -3621,7 +3624,7 @@ // Reference: /src/vue/standalone/post-settings/views/lite/Schema.vue:41 __( 'Generate Schema', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:97+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:98 __( 'Generate SEO Titles', 'all-in-one-seo-pack' ), // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/MetaTitleModal.vue:47@@ -3630,7 +3633,7 @@ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/SocialPostsModal.vue:63 // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/SocialPostsModal.vue:68- // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:67+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:68 __( 'Generate Social Posts', 'all-in-one-seo-pack' ), // Reference: /src/vue/standalone/ai-image-generator/extend-block-editor.js:16@@ -4243,7 +4246,7 @@ // Reference: /src/vue/composables/Image.js:65 __( 'Image from Custom Field', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:54+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:55 __( 'Image Generator', 'all-in-one-seo-pack' ), // Reference: /src/vue/standalone/ai-image-generator/views/partials/Form.vue:47@@ -4519,7 +4522,7 @@ // Reference: /src/vue/standalone/blocks/ai-assistant/vue/Block.vue:57 __( 'Insert', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/blocks/extend-paragraph-block.js:80+ // Reference: /src/vue/standalone/blocks/extend-paragraph-block.js:86 __( 'Insert AI Assistant Block', 'all-in-one-seo-pack' ), // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/FaqsModal.vue:77@@ -4745,7 +4748,7 @@ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/KeyPointsModal.vue:160 // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/KeyPointsModal.vue:162- // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:85+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:86 __( 'Key Points', 'all-in-one-seo-pack' ), // Reference: /src/app/tru-seo/analyzer/researches/helpers/getKeyphraseType.js:7@@ -4932,7 +4935,7 @@ // Reference: /src/vue/standalone/setup-wizard/views/Welcome.vue:43 __( 'Let\'s Get Started', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:13+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:14 __( 'Leverage AI to generate high-quality, relevant content for your post quickly and efficiently.', 'all-in-one-seo-pack' ), // Reference: /src/vue/plugins/constants.js:1449@@ -5027,7 +5030,7 @@ // Reference: /src/vue/pages/sitemaps/views/LlmsSitemap.vue:79 __( 'LLMs.txt Settings', 'all-in-one-seo-pack' ), - // Reference: /src/vue/composables/AiContent.js:78+ // Reference: /src/vue/composables/AiContent.js:91 // Translators: 1 - The title of the content. __( 'Loading %1$s Content', 'all-in-one-seo-pack' ), @@ -5261,7 +5264,7 @@ // Reference: /src/app/tru-seo/analyzer/analysis/metadescriptionLength.js:46 __( 'Meta description length', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:105+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:106 __( 'Meta Descriptions', 'all-in-one-seo-pack' ), // Reference: /src/vue/standalone/seo-preview/views/MetaTags.vue:38@@ -6629,7 +6632,7 @@ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/Main.vue:50 __( 'purchase PAYG credits', 'all-in-one-seo-pack' ), - // Reference: /src/vue/composables/AiContent.js:67+ // Reference: /src/vue/composables/AiContent.js:80 __( 'Quality', 'all-in-one-seo-pack' ), // Reference: /src/vue/pages/search-appearance/views/Advanced.vue:96@@ -7022,6 +7025,7 @@ // Reference: /src/vue/standalone/page-builders/oxygen/components/LimitModifiedDate.vue:9 // Reference: /src/vue/standalone/page-builders/seedprod/limit-modified-date.js:7 // Reference: /src/vue/standalone/page-builders/thrive-architect/limit-modified-date.js:5+ // Reference: /src/vue/standalone/page-builders/wpbakery/components/LimitModifiedDate.vue:8 __( 'Save (Don\'t Modify Date)', 'all-in-one-seo-pack' ), // Reference: /src/vue/composables/Wizard.js:163@@ -7437,7 +7441,7 @@ // Reference: /src/vue/pages/tools/views/lite/CtaExportTaxonomies.vue:28 __( 'SEO Title/Description', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:95+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:96 __( 'SEO Titles', 'all-in-one-seo-pack' ), // Reference: /src/vue/pages/settings/views/WritingAssistant.vue:45@@ -7703,7 +7707,7 @@ // Reference: /src/vue/pages/social-networks/views/Main.vue:19 __( 'Social Networks', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:65+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:66 __( 'Social Posts', 'all-in-one-seo-pack' ), // Reference: /src/vue/pages/social-networks/router/paths.js:30@@ -7794,7 +7798,7 @@ // Reference: /src/vue/classes/SeoAnalysis/AdvancedIssues.js:105 __( 'Stale content found.', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:106+ // Reference: /src/vue/standalone/post-settings/views/partials/ai-content/utils.js:107 __( 'Stand out in search results with a meta description that sparks curiosity and drives clicks to your content.', 'all-in-one-seo-pack' ), // Reference: /src/vue/standalone/blocks/table-of-contents/vue/SelectMode.vue:67@@ -7853,7 +7857,7 @@ // Reference: /src/vue/pages/search-appearance/views/lite/image-seo/ImageSeo.vue:30 __( 'Strip punctuation from image attributes', 'all-in-one-seo-pack' ), - // Reference: /src/vue/composables/AiContent.js:68+ // Reference: /src/vue/composables/AiContent.js:81 __( 'Style', 'all-in-one-seo-pack' ), // Reference: /src/app/tru-seo/analyzer/analysis/subheadingsDistribution.js:36@@ -8984,7 +8988,7 @@ // Reference: /src/vue/pages/search-appearance/views/lite/image-seo/Blur.vue:40 // Reference: /src/vue/pages/search-appearance/views/lite/image-seo/Blur.vue:45 // Reference: /src/vue/pages/search-appearance/views/lite/image-seo/Blur.vue:55- // Reference: /src/vue/pages/search-statistics/views/index-status/partials/ObjectsTable.vue:193+ // Reference: /src/vue/pages/search-statistics/views/index-status/partials/ObjectsTable.vue:194 // Reference: /src/vue/pages/search-statistics/views/partials/KeywordInner.vue:70 // Reference: /src/vue/pages/search-statistics/views/partials/PostsTable.vue:214 // Reference: /src/vue/pages/seo-analysis/partials/lite/results/SiteAuditAllUrlsTable.vue:60@@ -9094,7 +9098,7 @@ // Reference: /src/vue/plugins/constants.js:1566 __( 'Toddlers', 'all-in-one-seo-pack' ), - // Reference: /src/vue/composables/AiContent.js:66+ // Reference: /src/vue/composables/AiContent.js:79 // Reference: /src/vue/pages/settings/views/partials/AiContent/Main.vue:42 // Reference: /src/vue/standalone/blocks/ai-assistant/components/ToneSelector.jsx:5 __( 'Tone', 'all-in-one-seo-pack' ),@@ -9445,9 +9449,6 @@ // Reference: /src/vue/pages/search-statistics/views/partials/Statistic.vue:68 __( 'Up', 'all-in-one-seo-pack' ), - // Reference: /src/vue/standalone/page-builders/wpbakery/limit-modified-date/main.js:13- __( 'Update (Don\'t Modify Date)', 'all-in-one-seo-pack' ),- // Reference: /src/vue/components/common/core/FeatureCard.vue:78 __( 'Update Addon', 'all-in-one-seo-pack' ), @@ -9908,7 +9909,7 @@ // Translators: 1 - The Page Builder name, 2 - HTML code opening tag, 3 - HTML code closing tag. __( 'We have detected that you are currently using the %1$s Page Builder. Please click %2$shere%3$s to use the %1$s editor for a most accurate result.', 'all-in-one-seo-pack' ), - // Reference: /src/vue/composables/AiContent.js:70+ // Reference: /src/vue/composables/AiContent.js:83 __( 'We ran into an error. Please try again or contact support if it persists.', 'all-in-one-seo-pack' ), // Reference: /src/vue/pages/search-appearance/views/partials/crawl-cleanup/SearchCleanup.vue:36@@ -10251,9 +10252,8 @@ // Reference: /src/vue/composables/link-assistant/Links.js:45 __( 'Yes, I want to delete this link', 'all-in-one-seo-pack' ), - // Reference: /src/vue/pages/ai-insights/views/partials/ReportsTable.vue:216- // Translators: 1 - Number of reports.- _n( 'Yes, I want to delete this report', 'Yes, I want to delete %d reports', 0, 'all-in-one-seo-pack' ),+ // Reference: /src/vue/pages/ai-insights/views/partials/ReportsTable.vue:210+ _n( 'Yes, I want to delete this report', 'Yes, I want to delete these reports', 0, 'all-in-one-seo-pack' ), // Reference: /src/vue/components/common/ai/DisconnectModal.vue:29 // Reference: /src/vue/pages/search-statistics/views/partials/DisconnectModal.vue:23@@ -10319,7 +10319,7 @@ // Translators: 1 - Opening HTML strong tag, 2 - Closing HTML strong tag. __( 'You can import additional page URL\'s to your sitemap using a CSV file. The following 4 columns are required: %1$sPage URL, Priority, Frequency, Date Modified.%2$s', 'all-in-one-seo-pack' ), - // Reference: /src/vue/composables/AiContent.js:62+ // Reference: /src/vue/composables/AiContent.js:75 // Reference: /src/vue/standalone/ai-image-generator/views/partials/Form.vue:52 // Translators: 1 - Link to the AI Content settings page. __( 'You can manage your default settings under <a href="%1$s" target="_blank" rel="noopener noreferrer">General Settings > AI Content</a>.', 'all-in-one-seo-pack' ),
I'll analyze this diff for security vulnerabilities. This is a localization/translation file for the All in One SEO plugin, showing changes between versions 4.9.2 and 4.9.3.
Vulnerability Existed: no
Translation/Localization String Updates - No CWE
File: languages/aioseo-lite.php
Lines: Various (32, 114-120, 337, 355-358, 824, 1191-1193, 1253, 1299, 1488, 2259, 3205, 3260, 3554, 3569, 3581-3633, 4246, 4522, 4748, 4932, 5030, 5264, 6632, 7025, 7440, 7707, 7798, 7857, 8988, 9098, 9449, 10252, 10319)
Old Code:
Multiple translation strings with outdated references and missing translator comments
Fixed Code:
Updated reference line numbers, added translator comments for context-specific strings, improved string clarity (e.g., "Are you sure you want to delete %d reports?" → "Are you sure you want to delete these reports?")
Explanation:
This diff contains NO security vulnerabilities. The changes are purely localization/translation maintenance:
1. **Reference updates**: Line numbers in source files changed, so translation references were updated to maintain accuracy
2. **Translator comments added**: Strings like "Translators: 1 - Number of brands mentioned" provide context to translators about variable meanings
3. **String improvements**: Minor text changes for clarity (plural form improvements from "%d reports" to "these reports")
4. **Removed unused strings**: Three translation strings were removed (#%1$s, Update (Don't Modify Date))
5. **Added new string**: One new translatable string added ("Block hidden in %1$s.")
These are maintenance changes to translation files with no code execution, input validation, authentication, or security-related logic involved.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/vendor/autoload.php 2026-01-16 00:19:53.431216539 +0000+++ cache/all-in-one-seo-pack_4.9.3/vendor/autoload.php 2026-01-16 00:20:16.244649588 +0000@@ -22,4 +22,4 @@ require_once __DIR__ . '/composer/autoload_real.php'; -return ComposerAutoloaderInitb894904cce5cccd75d5edd1ab23976fe::getLoader();+return ComposerAutoloaderInite1a599465208e02257b695f9063e9b01::getLoader();
Vulnerability Existed: no No Vulnerability Identified - vendor/autoload.php [Line 25] Old Code: ``` return ComposerAutoloaderInitb894904cce5cccd75d5edd1ab23976fe::getLoader(); ``` Fixed Code: ``` return ComposerAutoloaderInite1a599465208e02257b695f9063e9b01::getLoader(); ``` Explanation: This diff shows a change to the Composer autoloader class name in the vendor/autoload.php file. The class name change from `ComposerAutoloaderInitb894904cce5cccd75d5edd1ab23976fe` to `ComposerAutoloaderInite1a599465208e02257b695f9063e9b01` is a routine update that occurs when Composer regenerates its autoloader based on package changes or dependencies. This is a normal maintenance operation and does not represent a security fix or introduce any security vulnerability. The change is functionally equivalent and follows Composer's standard autoloader generation pattern.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/vendor/composer/autoload_real.php 2026-01-16 00:19:53.431216539 +0000+++ cache/all-in-one-seo-pack_4.9.3/vendor/composer/autoload_real.php 2026-01-16 00:20:16.244649588 +0000@@ -2,7 +2,7 @@ // autoload_real.php @generated by Composer -class ComposerAutoloaderInitb894904cce5cccd75d5edd1ab23976fe+class ComposerAutoloaderInite1a599465208e02257b695f9063e9b01 { private static $loader; @@ -22,12 +22,12 @@ return self::$loader; } - spl_autoload_register(array('ComposerAutoloaderInitb894904cce5cccd75d5edd1ab23976fe', 'loadClassLoader'), true, true);+ spl_autoload_register(array('ComposerAutoloaderInite1a599465208e02257b695f9063e9b01', 'loadClassLoader'), true, true); self::$loader = $loader = new \Composer\Autoload\ClassLoader(\dirname(__DIR__));- spl_autoload_unregister(array('ComposerAutoloaderInitb894904cce5cccd75d5edd1ab23976fe', 'loadClassLoader'));+ spl_autoload_unregister(array('ComposerAutoloaderInite1a599465208e02257b695f9063e9b01', 'loadClassLoader')); require __DIR__ . '/autoload_static.php';- call_user_func(\Composer\Autoload\ComposerStaticInitb894904cce5cccd75d5edd1ab23976fe::getInitializer($loader));+ call_user_func(\Composer\Autoload\ComposerStaticInite1a599465208e02257b695f9063e9b01::getInitializer($loader)); $loader->register(true);
Vulnerability Existed: no
No CWE Identified - N/A - vendor/composer/autoload_real.php - Lines 5, 25, 27, 30
Old Code:
```php
class ComposerAutoloaderInitb894904cce5cccd75d5edd1ab23976fe
...
spl_autoload_register(array('ComposerAutoloaderInitb894904cce5cccd75d5edd1ab23976fe', 'loadClassLoader'), true, true);
...
spl_autoload_unregister(array('ComposerAutoloaderInitb894904cce5cccd75d5edd1ab23976fe', 'loadClassLoader'));
...
call_user_func(\Composer\Autoload\ComposerStaticInitb894904cce5cccd75d5edd1ab23976fe::getInitializer($loader));
```
Fixed Code:
```php
class ComposerAutoloaderInite1a599465208e02257b695f9063e9b01
...
spl_autoload_register(array('ComposerAutoloaderInite1a599465208e02257b695f9063e9b01', 'loadClassLoader'), true, true);
...
spl_autoload_unregister(array('ComposerAutoloaderInite1a599465208e02257b695f9063e9b01', 'loadClassLoader'));
...
call_user_func(\Composer\Autoload\ComposerStaticInite1a599465208e02257b695f9063e9b01::getInitializer($loader));
```
Explanation:
This diff shows routine Composer autoloader regeneration between versions 4.9.2 and 4.9.3. The changes consist entirely of updating class name hashes from `b894904cce5cccd75d5edd1ab23976fe` to `e1a599465208e02257b695f9063e9b01`. These hash-based class names are auto-generated by Composer and are consistent references throughout the file—there is no security vulnerability present. The modification is a normal consequence of dependency changes or version updates that trigger Composer's autoloader rebuild process.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/vendor/composer/autoload_static.php 2026-01-16 00:19:53.431216539 +0000+++ cache/all-in-one-seo-pack_4.9.3/vendor/composer/autoload_static.php 2026-01-16 00:20:16.244649588 +0000@@ -4,7 +4,7 @@ namespace Composer\Autoload; -class ComposerStaticInitb894904cce5cccd75d5edd1ab23976fe+class ComposerStaticInite1a599465208e02257b695f9063e9b01 { public static $prefixLengthsPsr4 = array ( 'P' => @@ -503,10 +503,10 @@ public static function getInitializer(ClassLoader $loader) { return \Closure::bind(function () use ($loader) {- $loader->prefixLengthsPsr4 = ComposerStaticInitb894904cce5cccd75d5edd1ab23976fe::$prefixLengthsPsr4;- $loader->prefixDirsPsr4 = ComposerStaticInitb894904cce5cccd75d5edd1ab23976fe::$prefixDirsPsr4;- $loader->prefixesPsr0 = ComposerStaticInitb894904cce5cccd75d5edd1ab23976fe::$prefixesPsr0;- $loader->classMap = ComposerStaticInitb894904cce5cccd75d5edd1ab23976fe::$classMap;+ $loader->prefixLengthsPsr4 = ComposerStaticInite1a599465208e02257b695f9063e9b01::$prefixLengthsPsr4;+ $loader->prefixDirsPsr4 = ComposerStaticInite1a599465208e02257b695f9063e9b01::$prefixDirsPsr4;+ $loader->prefixesPsr0 = ComposerStaticInite1a599465208e02257b695f9063e9b01::$prefixesPsr0;+ $loader->classMap = ComposerStaticInite1a599465208e02257b695f9063e9b01::$classMap; }, null, ClassLoader::class); }
Vulnerability Existed: no No Security Vulnerabilities Detected Explanation: This diff shows changes to a Composer autoloader static initialization file between versions 4.9.2 and 4.9.3 of the All in One SEO Pack plugin. The changes consist of: 1. Renaming the class from `ComposerStaticInitb894904cce5cccd75d5edd1ab23976fe` to `ComposerStaticInite1a599465208e02257b695f9063e9b01` 2. Updating all references to this class name within the `getInitializer()` method to match the new class name These changes are typical of Composer-generated autoloader files and reflect updates to the package's dependencies or structure. The hash-based class name is automatically generated by Composer based on the vendor directory contents. This is a normal, non-security-related maintenance update. There are no security vulnerabilities in this diff: - No code injection vulnerabilities - No privilege escalation issues - No authentication or authorization problems - No data exposure concerns - The changes maintain the same functionality and security posture as the previous version This is routine dependency management and autoloader regeneration.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.
--- cache/all-in-one-seo-pack_4.9.2/vendor/composer/installed.php 2026-01-16 00:19:53.431216539 +0000+++ cache/all-in-one-seo-pack_4.9.3/vendor/composer/installed.php 2026-01-16 00:20:16.244649588 +0000@@ -3,7 +3,7 @@ 'name' => 'awesomemotive/all-in-one-seo-pack-pro', 'pretty_version' => 'dev-develop', 'version' => 'dev-develop',- 'reference' => 'cd8ff17abadf201b0492106bf98b4b2b31e3aca5',+ 'reference' => '659de8f83ce225ae3da75026338894f551db36ee', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(),@@ -13,7 +13,7 @@ 'awesomemotive/all-in-one-seo-pack-pro' => array( 'pretty_version' => 'dev-develop', 'version' => 'dev-develop',- 'reference' => 'cd8ff17abadf201b0492106bf98b4b2b31e3aca5',+ 'reference' => '659de8f83ce225ae3da75026338894f551db36ee', 'type' => 'library', 'install_path' => __DIR__ . '/../../', 'aliases' => array(),
Vulnerability Existed: no No CWE vulnerability identified - File: vendor/composer/installed.php Old Code: 'reference' => 'cd8ff17abadf201b0492106bf98b4b2b31e3aca5', Fixed Code: 'reference' => '659de8f83ce225ae3da75026338894f551db36ee', Explanation: This diff shows a version bump in the composer installed.php file, updating the git reference hash from one commit to another. This is a normal dependency version update and does not introduce, fix, or relate to any security vulnerability. The change is purely metadata that tracks which git commit of the all-in-one-seo-pack-pro package is currently installed. Version updates themselves are not security issues unless they fix a known vulnerability, but this file alone does not indicate whether the referenced commit contains security fixes or not.
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the `/aioseo/v1/ai/credits` REST route in all versions up to, and including, 4.9.2. This makes it possible for authenticated attackers, with Contributor-level access and above, to disclose the global AI access token.