A critical security vulnerability has been identified in the widely used AI Engine plugin for WordPress, exposing over 100,000 active installations to the risk of privilege escalation and potential full site compromise.
The vulnerability, tracked as CVE-2025-5071, affects versions 2.8.0 through 2.8.3 and arises from insufficient authorization checks in the Model Context Protocol (MCP) module.
While the MCP feature and associated Dev Tools are disabled by default, any site owner who has enabled these settings is at immediate risk if unpatched.
Technical Analysis
At the core of the issue is the plugin’s implementation of the can_access_mcp() function.
In the vulnerable versions, this function allows any authenticated user starting at the basic subscriber role to interact with high-privilege MCP endpoints.
Attackers leveraging a compromised or simply low-level user account can issue sensitive commands such as wp_update_user, enabling them to upgrade their own privileges and attain administrator access.
Additionally, other commands allow for editing or deleting posts and comments, as well as potentially altering site settings and user accounts.
The MCP module’s design facilitates AI-driven automation by allowing commands to be executed site-wide, mimicking actions typically limited to administrators.
However, due to missing capability checks, this feature inadvertently broadens the attack surface for malicious actors, especially in environments where the MCP module has been enabled via the Dev Tools configuration.
Notably, the plugin also supports Bearer Token authentication. However, a flaw in its implementation allows attackers to bypass token checks under certain conditions.
Specifically, if a Bearer Token is not supplied or is left empty, the authorization flow defaults to granting access to any authenticated user, further lowering the barrier to exploitation.
Patch and Mitigation Timeline
Upon discovery by the Wordfence Threat Intelligence team on May 21, 2025, the vulnerability was disclosed responsibly to the plugin developer, Jordy Meow, who released a patch (version 2.8.4) on June 18, 2025.
The patched version enhances security by modifying the can_access_mcp() logic, restricting MCP endpoint access exclusively to users with administrator capabilities.
Additionally, the authentication mechanism now incorporates robust checks for empty or invalid tokens, eliminating the previously exploitable fallback.
According to the Report, Wordfence Premium, Care, and Response users received an immediate firewall rule to block exploitation attempts as of May 22, 2025. Free Wordfence users are scheduled to receive this protection by June 21, 2025.
Given the high CVSS score of 8.8 and the prevalence of the plugin, this vulnerability poses a significant threat.
Affected site owners who have enabled the MCP module are strongly urged to update their AI Engine plugin to version 2.8.4 or later without delay.
Exploitation enables attackers to fully compromise WordPress websites uploading backdoored plugins or themes, redirecting users to malicious sites, and injecting spam content.
As always, the security community recommends keeping all plugins updated and minimizing the use of high-privilege modules or development tools on production environments, especially those with broad command capabilities such as MCP.
WordPress administrators should verify their installation settings and encourage others in their networks to check for and apply the latest updates.
Swift action is crucial to prevent potential abuse, safeguard user data, and ensure website integrity.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
