aioseo CVE Vulnerabilities & Metrics

Focus on aioseo vulnerabilities and metrics.

Last updated: 29 Jun 2025, 22:25 UTC

About aioseo Security Exposure

This page consolidates all known Common Vulnerabilities and Exposures (CVEs) associated with aioseo. We track both calendar-based metrics (using fixed periods) and rolling metrics (using gliding windows) to give you a comprehensive view of security trends and risk evolution. Use these insights to assess risk and plan your patching strategy.

For a broader perspective on cybersecurity threats, explore the comprehensive list of CVEs by vendor and product. Stay updated on critical vulnerabilities affecting major software and hardware providers.

Global CVE Overview

Total aioseo CVEs: 10
Earliest CVE date: 24 May 2021, 11:15 UTC
Latest CVE date: 19 May 2025, 05:15 UTC

Latest CVE reference: CVE-2025-2892

Rolling Stats

30-day Count (Rolling): 0
365-day Count (Rolling): 1

Calendar-based Variation

Calendar-based Variation compares a fixed calendar period (e.g., this month versus the same month last year), while Rolling Growth Rate uses a continuous window (e.g., last 30 days versus the previous 30 days) to capture trends independent of calendar boundaries.

Variations & Growth

Month Variation (Calendar): -100.0%
Year Variation (Calendar): -50.0%

Month Growth Rate (30-day Rolling): -100.0%
Year Growth Rate (365-day Rolling): -50.0%

Monthly CVE Trends (current vs previous Year)

Annual CVE Trends (Last 20 Years)

Critical aioseo CVEs (CVSS ≥ 9) Over 20 Years

CVSS Stats

Average CVSS: 1.95

Max CVSS: 9.0

Critical CVEs (≥9): 1

CVSS Range vs. Count

Range	Count
0.0-3.9	7
4.0-6.9	2
7.0-8.9	0
9.0-10.0	1

CVSS Distribution Chart

Top 5 Highest CVSS aioseo CVEs

These are the five CVEs with the highest CVSS scores for aioseo, sorted by severity first and recency.

CVE-2021-24307 aioseo Published on 24 May 2021, 11:15 UTC (CVSS: 9.0)
The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool > Import/Export". However, the plugin attempts to unserialize va...
CVE-2021-25036 aioseo Published on 17 Jan 2022, 13:15 UTC (CVSS: 6.5)
The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites.
CVE-2021-25037 aioseo Published on 17 Jan 2022, 13:15 UTC (CVSS: 4.0)
The All in One SEO WordPress plugin before 4.1.5.3 is affected by an authenticated SQL injection issue, which was discovered during an internal audit by the Jetpack Scan team, and could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).
CVE-2025-2892 aioseo Published on 19 May 2025, 05:15 UTC (CVSS: 0)
The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post Meta Description and Canonical URL parameters in all versions up to, and including, 4.8.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access an...
CVE-2024-3368 aioseo Published on 20 May 2024, 06:15 UTC (CVSS: 0)
The All in One SEO WordPress plugin before 4.6.1.1 does not validate and escape some of its Post fields before outputting them back, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

All CVEs for aioseo

CVE-2025-2892 aioseo vulnerability CVSS: 0 19 May 2025, 05:15 UTC

The All in One SEO – Powerful SEO Plugin to Boost SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the post Meta Description and Canonical URL parameters in all versions up to, and including, 4.8.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2024-3368 aioseo vulnerability CVSS: 0 20 May 2024, 06:15 UTC

The All in One SEO WordPress plugin before 4.6.1.1 does not validate and escape some of its Post fields before outputting them back, which could allow users with the contributor role and above to perform Stored Cross-Site Scripting attacks

CVE-2024-3554 aioseo vulnerability CVSS: 0 02 May 2024, 17:15 UTC

The All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's shortcode(s) in all versions up to, and including, 4.6.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-0586 aioseo vulnerability CVSS: 0 24 Feb 2023, 15:15 UTC

The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Contributor+ role to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2023-0585 aioseo vulnerability CVSS: 0 24 Feb 2023, 15:15 UTC

The All in One SEO Pack plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple parameters in versions up to, and including, 4.2.9 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with Administrator role or above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

CVE-2022-42494 aioseo vulnerability CVSS: 0 08 Nov 2022, 19:15 UTC

Server Side Request Forgery (SSRF) vulnerability in All in One SEO Pro plugin <= 4.2.5.1 on WordPress.

CVE-2022-38093 aioseo vulnerability CVSS: 0 09 Sep 2022, 15:15 UTC

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in All in One SEO plugin <= 4.2.3.1 at WordPress.

CVE-2021-25037 aioseo vulnerability CVSS: 4.0 17 Jan 2022, 13:15 UTC

The All in One SEO WordPress plugin before 4.1.5.3 is affected by an authenticated SQL injection issue, which was discovered during an internal audit by the Jetpack Scan team, and could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).

CVE-2021-25036 aioseo vulnerability CVSS: 6.5 17 Jan 2022, 13:15 UTC

The All in One SEO WordPress plugin before 4.1.5.3 is affected by a Privilege Escalation issue, which was discovered during an internal audit by the Jetpack Scan team, and may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites.

CVE-2021-24307 aioseo vulnerability CVSS: 9.0 24 May 2021, 11:15 UTC

The All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings before 4.1.0.2 enables authenticated users with "aioseo_tools_settings" privilege (most of the time admin) to execute arbitrary code on the underlying host. Users can restore plugin's configuration by uploading a backup .ini file in the section "Tool > Import/Export". However, the plugin attempts to unserialize values of the .ini file. Moreover, the plugin embeds Monolog library which can be used to craft a gadget chain and thus trigger system command execution.