The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for low-privilege users. This makes it possible for authenticated attackers, with contributor-level access and above, to view configured API/OAuth tokens and license-related values from page source.
CVE-2026-5075
MEDIUMNVD 4.34.3—
EchelonGraph scoreMEDIUM confidence
Score 4.3 from GitHub Security Advisory published 2026-05-20. NVD baseline CVSS 4.3; sources differ by 0.0.
Triggered by: GitHub Security Advisory CVSS
Sources: epss, ghsa, nvd
4.3
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
- Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 4.3Exploit: NoneExposed: 0
No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.
- CVSS v3
- 4.3
- EG Score
- 4.3(medium)
- EPSS
- 20.5%
- KEV
- Not listed
Published
May 20, 2026
Last Modified
May 20, 2026
References (2)
Vendor Advisories for CVE-2026-5075(1)
These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.
Related CVEs(same CWE)
Same CWE
10 shownCWE-200
Frequently asked(5)
What is CVE-2026-5075?
CVE-2026-5075 is a medium vulnerability published on May 20, 2026. The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wplocalizescript() in post editor contexts without effective masking for…
When was CVE-2026-5075 disclosed?
CVE-2026-5075 was first published in the National Vulnerability Database on May 20, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-5075 actively exploited?
CVE-2026-5075 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 20.5% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-5075?
CVE-2026-5075 has a CVSS v3 base score of 4.3 (NVD).
How do I remediate CVE-2026-5075?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-5075, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.
Dependency Blast Radius
Explore the affected products and dependency analysis for CVE-2026-5075
Is Your Infrastructure Affected by CVE-2026-5075?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.