WordPress AI Engine Flaw (CVE-2025-5071): Critical Bug Allows Subscriber-Level Account Takeover

Security researchers at Wordfence have uncovered a vulnerability in the popular AI Engine plugin for WordPress, which is installed on more than 100,000 websites. Tracked as CVE-2025-5071, this flaw enables authenticated users with subscriber-level access to escalate their privileges and potentially take full control of a website.

With a CVSS score of 8.8, the vulnerability affects sites that have Dev Tools and the Model Context Protocol (MCP) module enabled—two features that are disabled by default but may be turned on by site administrators for advanced AI-powered functionality.

AI Engine, developed to integrate AI models like ChatGPT or Claude into WordPress, recently added support for Model Context Protocol (MCP). This protocol empowers AI agents to perform complex administrative tasks, such as managing files, editing users, and controlling site behavior.

While powerful, this feature opens up a dangerous attack surface when misconfigured.

At the core of the issue is the can_access_mcp() function used to validate access to MCP endpoints. The plugin initially grants access to all logged-in users, and allows further control via a filter called ‘mwai_allow_mcp’. Although the plugin offers Bearer Token authentication, the validation logic fails to check for empty values.

“Even when the Bearer Token authentication method is configured… this authentication can be bypassed due to the missing empty value check,” the report explains.

In practice, this means that any logged-in user can access the MCP endpoint if no other checks are implemented—even if the bearer token system is enabled. Once inside, the user can execute the wp_update_user command to promote their account to administrator.

“An attacker… can execute various commands… allowing them to escalate their privileges to administrator,” the report warns.

This kind of privilege escalation results in total site compromise. A user elevated to admin can:

• Upload malicious plugins or backdoors
• Modify or delete content
• Redirect visitors to malicious sites
• Inject spam or phishing content

While the vulnerability only affects websites with MCP explicitly enabled, the high install base and ease of exploitation make it a significant risk for developers and site owners experimenting with AI automation tools.

Wordfence urges all users of the AI Engine plugin to immediately update to version 2.8.4, which includes a patch for this vulnerability.

Related Posts:

• AI Dev Gallery: Microsoft Unleashes On-Device AI for Windows 11
• Google Gemini to Support Anthropic’s Model Context Protocol (MCP)
• A New Era for Windows: Microsoft’s Protocol Transforms OS into AI Agent Platform
• Toxic Agent Flow: GitHub MCP Vulnerability Exposes Private Repositories
• Tool Poisoning Attacks: Critical Vulnerability Discovered in Model Context Protocol (MCP)