Hi @dominokozmali,
We’ve already deployed a fix for this in AIOSEO version 4.8.7 and are currently waiting on Patchstack to verify and confirm the fix. We’ll keep you updated, but this should already have been addressed.
This vulnerability also hasn’t been exploited by anyone and can only be executed by someone who already has a login to your website
Hi Steve @wpsmort ,
I have updated the plugin to the latest version 4.8.7 but unfortunately it still shows me the security message. Even after a new re-scan Wordfence:
The Plugin “All in One SEO” has a security vulnerability.
Type: Plugin VulnerableFound ound 27. 09. 2025 04:28
Critical
Plugin Name: All in One SEO
Current Plugin Version: 4.8.7
Details: To protect your site from this vulnerability, the safest option is to deactivate and completely remove “All in One SEO” until a patched version is available. Get more information.(opens in new tab)
Repository URL:View(opens in new tab)
Vulnerability Information:View(opens in new tab)
Vulnerability Severity: 5.4/10.0 (Medium)
Also seeing this issue in ManageWP on multiple websites. Commenting so I can be kept up to date on this issue. Thank you.
Hi @dominokozmali,
We’ve already deployed a fix for this vulnerability in AIOSEO version 4.8.7, and we reported this to Patchstack. We’ve been waiting on Patchstack to verify and confirm the fix.
We followed up with Patchstack again last week, but it’s up to them to update their vulnerability database to mark this as patched. Until they do this, it’ll incorrectly appear as vulnerable in any security plugin or tool until they’ve updated their database.
Again, this vulnerability has already been patched, and if you’re on AIOSEO v4.8.7 or later then you’re protected, and you can safely ignore any warning about this. This vulnerability also hasn’t been exploited by anyone and can only be executed by someone who already has a login to your website.
I hope this helps!
It would probably be faster if you just rolled a few minor fixes… nothing major, into a new update 4.8.8 and revisited the “Missing Authorization” issue, clearly stating that it’s been (already in 4.8.7) resolved. From a compliance and liability standpoint, site operators really have no choice but to disable your add-on once the version number is flagged. It’s pretty rare for a CVE to be retroactively adjusted in that regard.
@nicodemusy2k – I agree, I thought they would solve it that way. Because it’s the standard solution.
Plugin Support
Prabhat
(@prabhatrai)
Hi @dominokozmali @nicodemusy2k @skylerdynedge @rsb1234,
I’m happy to confirm that Patchstack has now officially verified and marked this vulnerability as fixed.
You can see their update here:
https://patchstack.com/database/wordpress/plugin/all-in-one-seo-pack/vulnerability/wordpress-all-in-one-seo-pack-plugin-4-8-7-sensitive-data-exposure-vulnerability
Please make sure you’ve updated to AIOSEO version 4.8.7.2.
Feel free to let me know if you have any other questions. I’m here to help.
Yes I confirm that the security warning is no longer displayed even by wordfence.
I mark this case as solved 🙂
Thank you
