The Wordfence Threat Intelligence team identified a severe security flaw in the AI Engine plugin, a widely used tool installed on over 100,000 WordPress websites.
This vulnerability, classified as an Insufficient Authorization to Privilege Escalation via Model Context Protocol (MCP), has a CVSS score of 8.8 (High) and has been assigned the identifier CVE-2025-5071.
Affecting versions 2.8.0 to 2.8.3 of the plugin, the flaw allows authenticated attackers with subscriber-level access or higher to gain full control over the MCP module, enabling them to execute critical commands such as ‘wp_update_user’.
This can result in privilege escalation by modifying user roles to administrator level, posing a significant risk of complete site compromise.
Importantly, the issue critically impacts only those users who have manually enabled the Dev Tools and MCP module in the plugin settings, both of which are disabled by default.
Critical Vulnerability Uncovered in Popular AI Plugin
The technical root of this vulnerability lies in the plugin’s inadequate permission checks within the ‘can_access_mcp()’ function of the Meow_MWAI_Labs_MCP class.
By default, access to MCP endpoints was granted to any logged-in user due to a reliance on the ‘is_user_logged_in()’ condition without stricter capability checks.
Even when Bearer Token authentication was configured, a flaw in the ‘auth_via_bearer_token()’ function allowed attackers to bypass authentication by omitting the token, falling back to the default logged-in user access.
This oversight enabled attackers to interact with MCP endpoints and execute commands like ‘wp_create_user’, ‘wp_update_option’, ‘wp_update_post’, and ‘wp_delete_comment’, which could be exploited for malicious activities including uploading backdoors via plugins or redirecting users to harmful sites.
The potential for such extensive damage underscores the critical nature of this flaw, as administrative access grants full control over a WordPress site’s content, settings, and user management.
Swift Patch and Protection Measures Rolled Out
In response to the discovery, Wordfence promptly initiated responsible disclosure by contacting the plugin developer, Jordy Meow, on May 21, 2025.
Within an hour, the developer acknowledged the issue, and after receiving full disclosure details, released a patch in version 2.8.4 on June 18, 2025.
The fix modifies the ‘can_access_mcp()’ function to enforce administrator-level capability checks by default and strengthens the Bearer Token authentication process with rigorous empty value validations.
According to the Report, Wordfence Premium, Care, and Response users received a firewall rule to block exploitation attempts as early as May 22, 2025, while free users will gain the same protection on June 21, 2025. Wordfence commended Meow for their swift action in addressing the vulnerability.
Given the severity of this issue, WordPress administrators are strongly urged to update to AI Engine version 2.8.4 immediately to safeguard their sites.
This vulnerability serves as a stark reminder of the importance of robust permission controls in plugins handling sensitive functionalities like AI-driven protocols.
Site owners using this plugin should verify their settings and ensure updates are applied to mitigate the risk of unauthorized access and potential site takeover by malicious actors.
Sharing this information with peers who may use the AI Engine plugin is also recommended to maintain broader community security.
Find this News Interesting! Follow us on Google News, LinkedIn, and X to Get Instant Updates
Source link
