AIOSEO Exposes Global AI Access Token

Wordfence disclosed a vulnerability in the All in One SEO (AIOSEO) WordPress plugin that allowed contributor-level users to retrieve a site's global AI access token, affecting versions up to 4.9.2. The flaw, a missing capability check on the /aioseo/v1/ai/credits REST endpoint, could let attackers generate content or exhaust AI credits. AIOSEO fixed the issue in version 4.9.3; the plugin is installed on over 3 million sites.
Key Points
- 1Exposes global AI access token via missing REST capability check on /aioseo/v1/ai/credits endpoint
- 2Enables contributor-level users to generate AI content or exhaust site AI credits, causing billing and availability risks
- 3Requires urgent upgrade to AIOSEO 4.9.3+ and privilege review for contributor accounts on affected sites
Scoring Rationale
High scope and clear remediation across three million installs; limited by no reported widespread exploitation.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems

