A vital safety vulnerability within the AI Engine WordPress plugin has put greater than 100,000 energetic installations vulnerable to privilege escalation assaults.
The flaw, tracked as CVE-2025-11749 with a CVSS rating of 9.8, permits unauthenticated attackers to extract bearer tokens and acquire full administrative management over weak WordPress websites.
Safety researcher Emiliano Versini found the vulnerability on October 4, 2025, and responsibly reported it by way of the Wordfence Bug Bounty Program, incomes a bounty of $2,145.
The vulnerability facilities on a delicate info publicity subject that impacts all variations of AI Engine as much as and together with 3.1.3.
When website directors allow the ‘No-Auth URL’ function within the Mannequin Context Protocol (MCP) settings, the plugin inadvertently exposes bearer tokens by way of the /wp-json/ REST API index.
These tokens function authentication credentials for the MCP integration, which permits AI brokers like Claude and ChatGPT to manage WordPress web sites by executing instructions, managing media information, and enhancing consumer accounts.
Wordfence researchers recognized the foundation trigger within the plugin’s REST API route registration course of.
The weak code registers No-Auth URL endpoints with out setting the ‘show_in_index’ parameter to false, making these endpoints publicly accessible.
As soon as attackers extract the uncovered bearer token from the API index, they’ll authenticate themselves to the MCP endpoint and execute instructions resembling ‘wp_update_user’ to escalate their privileges to administrator stage.
With administrative entry secured, menace actors can add malicious plugins containing backdoors, modify web site content material to inject spam, or redirect guests to dangerous websites.
Technical Breakdown of the Exploitation Course of
The vulnerability exists throughout the Meow_MWAI_Labs_MCP class the place the plugin registers REST API routes utilizing the rest_api_init() perform.
The vital flaw emerges when the No-Auth URL setting is enabled. The code registers particular endpoints that embody the bearer token immediately within the URL path, designed to permit AI brokers entry with out conventional authentication. Nonetheless, the registration fails to cover these endpoints from the general public REST API index.
// No-Auth URL endpoints (with token in path)
$noauth_enabled = $this->core->get_option( ‘mcp_noauth_url’ );
if ( $noauth_enabled && !empty( $this->bearer_token ) ) {
register_rest_route( $this->namespace, ‘/’ . $this->bearer_token . ‘/sse’, [
‘methods’ => ‘GET’,
‘callback’ => [ $this, ‘handle_sse’ ],
‘permission_callback’ => perform ( $request ) {
return $this->handle_noauth_access( $request );
},
] );
}
An unauthenticated attacker can merely navigate to /wp-json/ on a weak WordPress website to view all registered REST API endpoints.
Websites with No-Auth URL enabled will expose endpoints containing the bearer token of their path construction.
The attacker can then use this token to authenticate requests to the MCP endpoint and execute privileged operations.
Plugin developer Jordy Meow addressed the vulnerability in model 3.1.4 by including the ‘show_in_index’ => false parameter to stop the endpoints from showing within the public index.
Nonetheless, website directors who beforehand had No-Auth URL enabled should rotate their bearer tokens instantly, because the uncovered credentials could have already been compromised.
Wordfence deployed firewall guidelines for Premium, Care, and Response customers on October 15, 2025, whereas free customers will obtain safety on November 14, 2025.
The firewall detects malicious REST API actions concentrating on the MCP endpoint and blocks exploitation makes an attempt.
Web site homeowners ought to replace to AI Engine model 3.1.4 instantly and regenerate their bearer tokens by way of the plugin settings to make sure full safety towards this vital vulnerability.
Observe us on Google Information, LinkedIn, and X to Get Extra On the spot Updates, Set CSN as a Most well-liked Supply in Google.
