CVE-2025-14384 is a vulnerability classified under CWE-862 (Missing Authorization) affecting the All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic, a widely used WordPress plugin developed by smub. The issue arises from a missing capability check on the REST API route `/aioseo/v1/ai/credits` in all versions up to and including 4.9.2. This endpoint exposes the global AI access token, which is a sensitive credential used to access AI-powered features within the plugin. The vulnerability allows any authenticated user with at least Contributor-level privileges to retrieve this token without further authorization. Since Contributor roles are commonly assigned to users who can create and edit content but not publish, this broadens the attack surface significantly. The CVSS v3.1 score is 4.3 (medium), reflecting that the attack vector is network-based, requires low attack complexity, and privileges but no user interaction. The impact is limited to confidentiality as the token exposure could lead to unauthorized use of AI services linked to the plugin, but does not directly affect data integrity or availability. No known exploits have been reported in the wild, and no official patches have been published at the time of analysis. The vulnerability highlights the importance of proper authorization checks on REST API endpoints, especially in plugins that integrate with external services.

For European organizations, the exposure of the global AI access token could lead to unauthorized use of AI services, potentially incurring unexpected costs or misuse of AI-generated content. While this does not directly compromise website integrity or availability, it could lead to indirect reputational damage if attackers leverage the token for malicious purposes. Organizations relying heavily on WordPress for their online presence and using this plugin are at risk, especially those with multiple users assigned Contributor or higher roles. The confidentiality breach could also be a stepping stone for further attacks if the AI token is linked to other sensitive systems or data. Given the widespread use of WordPress and SEO plugins in Europe, particularly in countries with large digital economies, the impact could be significant if not addressed promptly.

1. Immediately audit user roles and restrict Contributor-level access to trusted users only, minimizing the number of users who can exploit this vulnerability. 2. Monitor REST API access logs for unusual requests to the `/aioseo/v1/ai/credits` endpoint, especially from authenticated users with Contributor or higher privileges. 3. Disable or restrict the plugin’s AI features temporarily if possible until a patch is released. 4. Implement web application firewall (WAF) rules to block unauthorized access to the vulnerable REST route. 5. Stay alert for official patches or updates from the plugin vendor and apply them promptly once available. 6. Educate content creators and contributors about the risks of privilege misuse and enforce strict access control policies. 7. Consider using role management plugins to enforce more granular permissions beyond WordPress defaults.