State-owned websites and Moroccan media: A critical vulnerability affects WordPress

This plugin, essential for natural search engine optimization, offers automated tools for writing articles, titles, and metadata. The identified vulnerability lies in a flaw in permission control within the system. Specifically, a simple contributor - the lowest level of privilege usually granted to writers to submit drafts - can now view the global security token governing the artificial intelligence. By seizing this digital key, a malicious user can generate content covertly or exhaust the usage quotas billed to the site owner.

For administrators of Moroccan websites, the danger is primarily operational and financial. Many press platforms and institutional sites use these features to assist their editorial production. The exposure of this token allows an attacker to automate requests, creating a denial of service for the tools on which administrators depend. Although this vulnerability does not allow the direct execution of malicious code, it constitutes a leak of sensitive data that can impact the budget management of digital services.

This is not the first time the AIOSEO tool has faced criticism regarding its security. Over the course of 2025, the plugin has already recorded six major vulnerabilities related to a flawed management of permissions for low-privilege users. This level of insecurity is considered high compared to its direct competitors: Yoast SEO has reported no vulnerabilities over the same period, while RankMath and Squirrly SEO have recorded four and three, respectively.