A critical vulnerability discovered in the AI Engine WordPress plugin threatens over 100,000 active installations worldwide. On October 4th, 2025, security researchers identified a Sensitive Information Exposure vulnerability that allows unauthenticated attackers to extract bearer tokens and escalate their privileges to administrator level.
The vulnerability, tracked as CVE-2025-11749 with a CVSS rating of 9.8 (Critical), affects all versions up to and including 3.1.3. Fortunately, the developer released a patched version 3.1.4 on October 19th, 2025, addressing the issue.
However, sites that previously enabled the vulnerable “No-Auth URL” setting must immediately rotate their bearer tokens to remain secure.
AI Engine is a powerful WordPress plugin that integrates the Model Context Protocol (MCP) with artificial intelligence agents like Claude and ChatGPT, enabling these systems to perform complex WordPress management tasks including user account modifications, media handling, and post editing.
The vulnerability stems from improper REST API endpoint registration within the plugin’s Meow_MWAI_Labs_MCP class.
When administrators enable the “No-Auth URL” feature in the MCP settings—disabled by default—the plugin registers REST API routes that include the bearer token directly in the endpoint path.
Critically, these endpoints were registered without setting the ‘show_in_index’ parameter to false, which means they are publicly listed in the WordPress REST API index at /wp-json/. This design vulnerability exposes the bearer token to any unauthenticated attacker who queries the REST API, effectively providing an open invitation to compromise affected sites.
Once an attacker obtains the bearer token, they can authenticate themselves to the MCP endpoint and execute administrator-level commands.
The research demonstrated that attackers can leverage commands such as ‘wp_update_user’ to modify their own user role to administrator, bypassing all authentication and authorization checks.
From this privileged position, attackers can upload malicious plugins or themes containing backdoors, modify site content for spam or phishing purposes, or completely compromise the website.
Responsible Disclosure and Timeline
Researcher Emiliano Versini discovered this vulnerability and responsibly reported it through the Wordfence Bug Bounty Program on October 4th, 2025—just one day after the vulnerability was introduced.
Wordfence validated the proof-of-concept exploit and immediately initiated vendor disclosure on October 14th, 2025.
Recognizing the severity, Wordfence Premium, Care, and Response users received a protective firewall rule on October 15th, 2025, before the patch was even released.
The developer acknowledged the report and released version 3.1.4 on October 19th, 2025, with free version users receiving firewall protection thirty days later on November 14th, 2025.
Versini earned a $2,145.00 bounty for this discovery, reflecting Wordfence’s commitment to incentivizing quality vulnerability research that strengthens the WordPress ecosystem.
The entire process demonstrates responsible disclosure practices, with the vulnerability remedied in just fifteen days from initial discovery to patch deployment.
Critical Actions Required
Website administrators using AI Engine must take immediate action to secure their installations. The primary mitigation involves updating to version 3.1.4 or later.
However, sites that previously enabled the “No-Auth URL” feature face additional risk: the bearer token may have already been exposed to attackers.
For these sites, updating the plugin is insufficient; administrators must rotate the bearer token in the plugin settings page immediately.
Failing to rotate the token leaves sites vulnerable even after patching, as existing bearer tokens could be exploited by attackers who captured them before the patch deployment.
Wordfence continues monitoring for exploitation attempts targeting this vulnerability. The firewall rule deployed on October 15th detects and blocks malicious REST API requests attempting to trigger privilege escalation commands.
WordPress administrators without security plugins should prioritize updating immediately, while those with Wordfence protection should verify that both the plugin update and token rotation are completed as soon as possible. Given the critical nature of this vulnerability and the potential for complete site compromise, delay in remediation is not advisable.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
