The vulnerability identified as CVE-2025-14384 affects the All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic, a popular WordPress plugin developed by smub. The issue stems from a missing authorization check (CWE-862) on the REST API endpoint /aioseo/v1/ai/credits, which is designed to provide information related to AI credits or tokens used by the plugin. In all versions up to and including 4.9.2, authenticated users with Contributor-level access or higher can invoke this endpoint without proper capability verification, allowing them to retrieve the global AI access token. This token is sensitive as it may grant access to AI-powered features or services integrated with the plugin, potentially enabling misuse or unauthorized consumption of AI resources. The vulnerability does not require user interaction beyond authentication and does not impact data integrity or system availability directly. The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N) indicates network exploitable, low attack complexity, requires privileges, no user interaction, unchanged scope, and limited confidentiality impact. No patches or exploits are currently documented, but the risk exists for sites that have Contributor-level users or higher who might abuse this token exposure. The vulnerability is classified as medium severity due to the limited impact and the prerequisite of authenticated access.

The primary impact of CVE-2025-14384 is the unauthorized disclosure of the global AI access token used by the All in One SEO plugin. This can lead to unauthorized use of AI services, potentially incurring unexpected costs or service disruptions if the token is abused. While the vulnerability does not allow direct modification or deletion of data, nor does it affect site availability, the exposure of sensitive credentials undermines confidentiality and could facilitate further attacks if the token grants broader access. Organizations relying on this plugin for SEO and AI features may face operational risks and reputational damage if attackers exploit this token leakage. The risk is heightened in environments where Contributor-level users are numerous or less trusted, such as multi-author blogs or agencies. Since the vulnerability requires authenticated access, external attackers cannot exploit it without first compromising user credentials or insider access. The lack of known exploits in the wild reduces immediate risk but does not eliminate the threat, especially as the vulnerability is publicly disclosed.

To mitigate CVE-2025-14384, organizations should immediately review and restrict user roles, minimizing the number of users with Contributor-level or higher privileges. Implement strict access controls and monitor user activity for suspicious API calls to /aioseo/v1/ai/credits. Until an official patch is released, consider disabling or restricting access to the vulnerable REST endpoint via web application firewalls (WAFs) or custom code that enforces capability checks. Regularly update the All in One SEO plugin to the latest version once a patch addressing this vulnerability is available. Additionally, rotate or revoke the global AI access token if possible to prevent misuse. Employ logging and alerting on API access patterns to detect potential exploitation attempts. Educate site administrators and content contributors about the risks of privilege misuse and enforce the principle of least privilege for user roles.