CVE-2026-5075
CWE-200Published: May 20, 2026· Updated: May 20, 2026
Official Description
The All in One SEO plugin for WordPress is vulnerable to Sensitive Information Exposure via 'internalOptions' localized script data in versions up to, and including, 4.9.7 due to sensitive internal option data being passed to wp_localize_script() in post editor contexts without effective masking for low-privilege users. This makes it possible for authenticated attackers, with contributor-level access and above, to view configured API/OAuth tokens and license-related values from page source.
Technical Analysis
CVE-2026-5075 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation requires low privileges, which limits the exposure to scenarios where an attacker has already gained initial access.
From a weakness classification perspective (CWE-200): Information exposure vulnerabilities leak sensitive data to unauthorized actors.
CVSS v3.1 Vector Breakdown
Affected Vendors & Products
Exploit & PoC Resources
News & Research Mentioning CVE-2026-5075
Check Point has warned of active exploitation of a critical vulnerability impacting Remote Access VPN and Mobile Access deployments that are configured to use the deprecated IKEv1 key exchange protocol. The vulnerability, tracked as CVE-2026-50751 (CVSS score: 9.3), is a case of a logic flow weakness in certificate validation that allows an unauthenticated remote attacker to bypass user [xlite_meta score:56 src:The Hacker News xlite_fp:664cae81bc0b4cde2a1d4c73d6ebe164ea280bb6454b5eb9398aaf16370b17d1]
CISA has added two new vulnerabilities to its Known Exploited Vulnerabilities (KEV) Catalog, based on evidence of active exploitation. CVE-2026-42271 BerriAI LiteLLM Command Injection Vulnerability CVE-2026-50751 Check Point Security Gateway Improper Authentication Vulnerability These types of vulnerabilities are a frequent attack vector for malicious cyber actors and pose significant risks to the federal enterprise. Binding Operational Directive (BOD) 22-01: Reducing the Significant Risk of Known Exploited Vulnerabilities established the KEV Catalog as a living list of known Common Vulnerabilities and Exposures (CVEs) that carry significant risk to the federal enterprise. BOD 22-01 requires Federal Civilian Executive Branch (FCEB) agencies to remedi [xlite_meta score:51 src:CISA Alerts xlite_fp:112ecae3057d58d0b590d4b4cf769408b4f5d887d2a23eae3f44dd31a01b3dc6]
All References (2)
Quick Facts
Related CVEs (CWE-200)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-5075 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts