Critical Vulnerability Exposes 100,000 WordPress Sites to Privilege Escalation Attacks
A significant security flaw within the AI Engine WordPress plugin has jeopardized over 100,000 active installations, rendering them susceptible to privilege escalation attacks.
This vulnerability, designated as CVE-2025-11749 with a CVSS score of 9.8, facilitates unauthorized attackers in extracting bearer tokens, thereby granting them comprehensive administrative privileges over compromised WordPress sites.
The discovery of this flaw was made by security researcher Emiliano Versini on October 4, 2025. Versini responsibly disclosed the issue through the Wordfence Bug Bounty Program, a move that earned him a reward of $2,145.
At the core of this vulnerability lies a sensitive information exposure issue, affecting all iterations of AI Engine up to and including version 3.1.3.
The problem arises when administrators enable the ‘No-Auth URL’ feature in the Model Context Protocol (MCP) settings, inadvertently exposing bearer tokens via the /wp-json/ REST API index.
These tokens serve as authentication credentials for the MCP integration, permitting AI agents such as Claude and ChatGPT to manipulate WordPress sites through command execution, media file management, and user account modification.
Researchers from Wordfence have pinpointed the root cause in the process by which the plugin registers REST API routes.
The vulnerable code inadvertently registers No-Auth URL endpoints without appropriately setting the ‘show_in_index’ parameter to false, thereby making these endpoints publicly accessible.
Once the bearer token is extracted from the exposed API index, attackers can authenticate themselves to the MCP endpoint and escalate their privileges by executing commands like ‘wp_update_user’.
With administrative access secured, malicious actors can upload backdoored plugins, alter website content to disseminate spam, or redirect unsuspecting visitors to nefarious sites.
Technical Dissection of the Exploitation Mechanism
The vulnerability is embedded within the Meow_MWAI_Labs_MCP class, where REST API routes are registered using the rest_api_init() function.
A precarious flaw surfaces when the No-Auth URL setting is enabled. This code registers special endpoints that include the bearer token directly within the URL path, intended to grant AI agents access without standard authentication. However, it fails to conceal these endpoints from the public REST API index.
// No-Auth URL endpoints (with token in path)
$noauth_enabled = $this->core->get_option('mcp_noauth_url');
if ($noauth_enabled && !empty($this->bearer_token)) {
register_rest_route($this->namespace, '/' . $this->bearer_token . '/sse', [
'methods' => 'GET',
'callback' => [$this, 'handle_sse'],
'permission_callback' => function ($request) {
return $this->handle_noauth_access($request);
},
]);
}Unauthenticated attackers can effortlessly navigate to /wp-json/ on a vulnerable WordPress site to discern all registered REST API endpoints.
Sites enabled with No-Auth URL will inevitably expose endpoints that contain the bearer token within their path parameters.
This token then allows attackers to authenticate requests directed to the MCP endpoint and perform privileged operations.
In response to the vulnerable discovery, plugin developer Jordy Meow rectified the issue in version 3.1.4 by implementing the ‘show_in_index’ => false parameter to prevent the endpoints from emerging in the public index.
However, site administrators who previously enabled No-Auth URL must immediately rotate their bearer tokens, as the exposed credentials may have already been compromised.
Wordfence enacted firewall measures for Premium, Care, and Response users on October 15, 2025, while free users will gain protective coverage on November 14, 2025.
This firewall effectively detects malicious REST API actions targeting the MCP endpoint and thwarts attempts at exploitation.
Site owners are strongly advised to upgrade to AI Engine version 3.1.4 and regenerate their bearer tokens via the plugin settings to ensure robust protection against this critical vulnerability.
Source link: Cybersecuritynews.com.
