Ddos 
Researchers at Wordfence have disclosed a critical vulnerability (CVE-2025-11749, CVSS 9.8) in the popular AI Engine WordPress plugin that could allow unauthenticated attackers to escalate privileges and take full control of affected websites. The flaw, classified as a Sensitive Information Exposure vulnerability, affects all versions up to and including 3.1.3, with a patch available in version 3.1.4.
“This vulnerability can be exploited by unauthenticated attackers to extract the bearer token and then get full access to the MCP and execute various commands like ‘wp_update_user’, allowing them to escalate their privileges to administrators by updating their user role,” Wordfence explained.
The issue specifically impacts users who have enabled the ‘No-Auth URL’ feature within the plugin’s Model Context Protocol (MCP) settings — a feature that is disabled by default. However, when enabled, it inadvertently exposes sensitive authentication tokens to the public REST API, making exploitation trivial
With more than 100,000 active installations, AI Engine is designed to integrate large language models like ChatGPT and Claude directly into WordPress. Through its MCP (Model Context Protocol) feature, the plugin allows AI agents to execute administrative tasks, including user management, content editing, and media operations.
The flaw resides in how the plugin registers REST API routes via the rest_api_init() function within the Meow_MWAI_Labs_MCP class. In versions prior to 3.1.4, the “No-Auth URL” endpoints were registered publicly without proper restrictions or the show_in_index => false parameter.
Wordfence’s analysis found that, “In the ‘No-Auth URL endpoints (with token in path)’ section, the endpoints are registered just like the other endpoints, without setting the parameter ‘show_in_index’ to false. This means that these endpoints are also public, resulting in them being listed in the /wp-json/ REST API index.”
As a result, when this setting is active, the plugin inadvertently publishes the bearer token within the REST API index, allowing anyone to see and use it.
Once an attacker retrieves the exposed token, they can authenticate directly with the MCP endpoint and issue privileged commands. Wordfence notes, “An attacker who authenticates themselves with the bearer token and thereby gains access to the MCP endpoint can execute various commands, such as ‘wp_update_user’, allowing them to update their own user role to administrator.”
This chain of exploitation effectively enables complete site takeover, allowing adversaries to upload backdoored plugins, inject SEO spam, or redirect visitors to malicious domains.
Wordfence confirmed active probing attempts, reporting that six exploitation attempts had already been detected and blocked within the first 24 hours of public disclosure.
The company emphasizes that exploitation is only possible if the “No-Auth URL” setting is enabled, but warns that administrators may have activated it unknowingly during configuration testing or API integration.
The vulnerability was discovered and responsibly reported by security researcher Emiliano Versini via the Wordfence Bug Bounty Program. Notably, it was reported just one day after the vulnerable code was introduced, earning Versini a bounty of $2,145.
Related Posts:
- Google Gemini to Support Anthropic’s Model Context Protocol (MCP)
- A New Era for Windows: Microsoft’s Protocol Transforms OS into AI Agent Platform
- Microsoft Launches MCP Server for AI to Access Official Documentation
- WordPress Malware Alert: Fake Anti-Malware Plugin Grants Admin Access and Executes Remote Code
- Toxic Agent Flow: GitHub MCP Vulnerability Exposes Private Repositories
Donate