AI Engine WordPress Plugin Exposes 100,000 WordPress Sites to Privilege Escalation Attacks

A critical security vulnerability in the AI Engine WordPress plugin has put more than 100,000 active installations at risk of privilege escalation attacks.

The flaw, tracked as CVE-2025-11749 with a CVSS score of 9.8, allows unauthenticated attackers to extract bearer tokens and gain complete administrative control over vulnerable WordPress sites.

Security researcher Emiliano Versini discovered the vulnerability on October 4, 2025, and responsibly reported it through the Wordfence Bug Bounty Program, earning a bounty of $2,145.

The vulnerability centers on a sensitive information exposure issue that affects all versions of AI Engine up to and including 3.1.3.

When site administrators enable the ‘No-Auth URL’ feature in the Model Context Protocol (MCP) settings, the plugin inadvertently exposes bearer tokens through the /wp-json/ REST API index.

These tokens serve as authentication credentials for the MCP integration, which enables AI agents like Claude and ChatGPT to control WordPress websites by executing commands, managing media files, and editing user accounts.

Wordfence researchers identified the root cause in the plugin’s REST API route registration process.

The vulnerable code registers No-Auth URL endpoints without setting the ‘show_in_index’ parameter to false, making these endpoints publicly accessible.

Once attackers extract the exposed bearer token from the API index, they can authenticate themselves to the MCP endpoint and execute commands such as ‘wp_update_user’ to escalate their privileges to administrator level.

With administrative access secured, threat actors can upload malicious plugins containing backdoors, modify website content to inject spam, or redirect visitors to harmful sites.

Technical Breakdown of the Exploitation Process

The vulnerability exists within the Meow_MWAI_Labs_MCP class where the plugin registers REST API routes using the rest_api_init() function.

The critical flaw emerges when the No-Auth URL setting is enabled. The code registers special endpoints that include the bearer token directly in the URL path, designed to allow AI agents access without traditional authentication. However, the registration fails to hide these endpoints from the public REST API index.

// No-Auth URL endpoints (with token in path)
$noauth_enabled = $this->core->get_option( 'mcp_noauth_url' );
if ( $noauth_enabled && !empty( $this->bearer_token ) ) {
  register_rest_route( $this->namespace, '/' . $this->bearer_token . '/sse', [
    'methods' => 'GET',
    'callback' => [ $this, 'handle_sse' ],
    'permission_callback' => function ( $request ) {
      return $this->handle_noauth_access( $request );
    },
  ] );
}

An unauthenticated attacker can simply navigate to /wp-json/ on a vulnerable WordPress site to view all registered REST API endpoints.

Sites with No-Auth URL enabled will expose endpoints containing the bearer token in their path structure.

The attacker can then use this token to authenticate requests to the MCP endpoint and execute privileged operations.

Plugin developer Jordy Meow addressed the vulnerability in version 3.1.4 by adding the ‘show_in_index’ => false parameter to prevent the endpoints from appearing in the public index.

However, site administrators who previously had No-Auth URL enabled must rotate their bearer tokens immediately, as the exposed credentials may have already been compromised.

Wordfence deployed firewall rules for Premium, Care, and Response users on October 15, 2025, while free users will receive protection on November 14, 2025.

The firewall detects malicious REST API actions targeting the MCP endpoint and blocks exploitation attempts.

Site owners should update to AI Engine version 3.1.4 immediately and regenerate their bearer tokens through the plugin settings to ensure complete protection against this critical vulnerability.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.