On October 4th, 2025, we received a submission for a Sensitive Information Exposure vulnerability in AI Engine, a WordPress plugin with more than 100,000 active installations. This vulnerability can be exploited by unauthenticated attackers to extract the bearer token and then get full access to the MCP and execute various commands like ‘wp_update_user’, allowing them to escalate their privileges to administrators by updating their user role. Please note that this vulnerability only critically affects users who have enabled the ‘No-Auth URL’ in the MCP settings, which is disabled by default.
Props to Emiliano Versini who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This vulnerability was disclosed to our program just one day after it was introduced. This researcher earned a bounty of $2,145.00 for this discovery. Our mission is to secure WordPress through defense in depth, which is why we are investing in quality vulnerability research and collaborating with researchers of this caliber through our Bug Bounty Program. We are committed to making the WordPress ecosystem more secure through the detection and prevention of vulnerabilities, which is a critical element to our multi-layered approach to security.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on October 15, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on November 14, 2025.
We provided full disclosure details to Jordy Meow instantly through our Wordfence Vulnerability Management Portal on October 14, 2025. The developer released the patch on October 19, 2025. We would like to commend Jordy Meow for their prompt response and timely patch.
We would like to draw attention to the fact that for those who have enabled this setting, the bearer token may have been exposed on their websites. This means that the only secure solution is to rotate the token, so we recommend performing this action immediately.
We urge users to update their sites with the latest patched version of AI Engine, version 3.1.4 at the time of this publication, and change the token in the settings page, as soon as possible.
📢 Calling all Vulnerability Researchers and Bug Bounty Hunters! 📢
🚀 Operation: Maximum Impact Challenge! Now through November 10, 2025, earn 2X bounty rewards for all in-scope submissions in software with at least 5,000 active installs and fewer than 5 million active installs. Bounties up to $31,200 per vulnerability. Submit bold. Earn big!
📁 The LFInder Challenge: Refine your LFI hunting skills with an expanded scope. Now through November 24, 2025, all LFI vulnerabilities in software with at least 25 active installs are considered in-scope for all researchers, regardless of researcher tier, AND earn a 30% bonus on all Local File Inclusion vulnerability submissions not already increased by another promotion.
Vulnerability Summary from Wordfence Intelligence
AI Engine
The AI Engine plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.1.3 via the /mcp/v1/ REST API endpoint that exposes the ‘Bearer Token’ value when ‘No-Auth URL’ is enabled. This makes it possible for unauthenticated attackers to extract the bearer token, which can be used to gain access to a valid session and perform many actions like creating a new administrator account, leading to privilege escalation.
Technical Analysis
AI Engine is a WordPress plugin that includes MCP (Model Context Protocol) integration, which allows AI agents – such as Claude or ChatGPT – to control and manage the WordPress website by executing various commands, managing media files, editing users, and performing complex tasks more reliably than through standard APIs.
Examining the code reveals that the plugin uses the rest_api_init() function in the Meow_MWAI_Labs_MCP class to register the REST API routes.
public function rest_api_init() {
// Load bearer token if not already loaded
if ( $this->bearer_token === null ) {
$this->bearer_token = $this->core->get_option( 'mcp_bearer_token' );
}
// Only add filter once
static $filter_added = false;
if ( !empty( $this->bearer_token ) && !$filter_added ) {
add_filter( 'mwai_allow_mcp', [ $this, 'auth_via_bearer_token' ], 10, 2 );
$filter_added = true;
}
register_rest_route( $this->namespace, '/sse', [
'methods' => [ 'GET', 'POST', 'HEAD' ], // Support HEAD for client endpoint checks
'callback' => [ $this, 'handle_sse' ],
'permission_callback' => function ( $request ) {
return $this->can_access_mcp( $request );
},
] );
register_rest_route( $this->namespace, '/messages', [
'methods' => 'POST',
'callback' => [ $this, 'handle_message' ],
'permission_callback' => function ( $request ) {
return $this->can_access_mcp( $request );
},
] );
// No-Auth URL endpoints (with token in path)
$noauth_enabled = $this->core->get_option( 'mcp_noauth_url' );
if ( $noauth_enabled && !empty( $this->bearer_token ) ) {
register_rest_route( $this->namespace, '/' . $this->bearer_token . '/sse', [
'methods' => 'GET',
'callback' => [ $this, 'handle_sse' ],
'permission_callback' => function ( $request ) {
return $this->handle_noauth_access( $request );
},
] );
register_rest_route( $this->namespace, '/' . $this->bearer_token . '/sse', [
'methods' => 'POST',
'callback' => [ $this, 'handle_sse' ],
'permission_callback' => function ( $request ) {
return $this->handle_noauth_access( $request );
},
] );
register_rest_route( $this->namespace, '/' . $this->bearer_token . '/messages', [
'methods' => 'POST',
'callback' => [ $this, 'handle_message' ],
'permission_callback' => function ( $request ) {
return $this->handle_noauth_access( $request );
},
] );
}
}
In the “No-Auth URL endpoints (with token in path)” section, the endpoints are registered just like the other endpoints, without setting the parameter ‘show_in_index‘ to false. This means that these endpoints are also public, resulting in them being listed in the /wp-json/ REST API index. This ultimately means that the bearer token is publicly exposed and visible and accessible to unauthenticated attackers when configured.
An attacker who authenticates themselves with the bearer token and thereby gains access to the MCP endpoint can execute various commands, such as ‘wp_update_user’, allowing them to update their own user role to administrator, thereby granting themselves elevated privileges.
As with any Privilege Escalation vulnerability, this can be used for complete site compromise. Once an attacker has gained administrative user access to a WordPress site, they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modify posts and pages which can be leveraged to redirect site users to other malicious sites or inject spam content.
We would like to draw attention once again to the fact that the vulnerability only critically affects users who have enabled the ‘No-Auth URL’ in the MCP settings, which is disabled by default.
The Patch
The vendor patched this issue by modifying the REST API route registration, and adding the ‘show_in_index => false‘ argument.
// No-Auth URL endpoints (with token in path)
$noauth_enabled = $this->core->get_option( 'mcp_noauth_url' );
if ( $noauth_enabled && !empty( $this->bearer_token ) ) {
register_rest_route( $this->namespace, '/' . $this->bearer_token . '/sse', [
'methods' => 'GET',
'callback' => [ $this, 'handle_sse' ],
'permission_callback' => function ( $request ) {
return $this->handle_noauth_access( $request );
},
'show_in_index' => false,
] );
register_rest_route( $this->namespace, '/' . $this->bearer_token . '/sse', [
'methods' => 'POST',
'callback' => [ $this, 'handle_sse' ],
'permission_callback' => function ( $request ) {
return $this->handle_noauth_access( $request );
},
'show_in_index' => false,
] );
register_rest_route( $this->namespace, '/' . $this->bearer_token . '/messages', [
'methods' => 'POST',
'callback' => [ $this, 'handle_message' ],
'permission_callback' => function ( $request ) {
return $this->handle_noauth_access( $request );
},
'show_in_index' => false,
] );
}
Again, this patch only prevents further token exposure. If a token was already configured and exposed, the only secure remedy is to rotate the token.
Wordfence Firewall
The following graphic demonstrates the steps to exploitation an attacker might take and at which point the Wordfence firewall would block an attacker from successfully exploiting the vulnerability.
The Wordfence firewall rule detects the malicious REST API action and blocks the request.
Disclosure Timeline
October 4, 2025 – We received the submission for the Sensitive Information Exposure vulnerability in AI Engine via the Wordfence Bug Bounty Program.
October 14, 2025 – We validated the report and confirmed the proof-of-concept exploit. Full disclosure details were sent instantly to the vendor through our Wordfence Vulnerability Management Portal.
October 15, 2025 – Wordfence Premium, Care, and Response users received a firewall rule to provide added protection against any exploits that may target this vulnerability.
October 19, 2025 – The vendor acknowledged the report and began working on a fix.
October 19, 2025 – The fully patched version of the plugin, 3.1.4, was released.
November 14, 2025 – Wordfence Free users will receive the same protection.
Conclusion
In this blog post, we detailed a Sensitive Information Exposure vulnerability within the AI Engine plugin affecting versions 3.1.3 and earlier. This vulnerability allows unauthenticated threat actors to extract the bearer token and then get full access to the MCP and gain elevated privileges. The vulnerability has been fully addressed in version 3.1.4 of the plugin.
We encourage WordPress users to verify that their sites are updated to the latest patched version of AI Engine, and change the bearer token in the plugin settings as soon as possible considering the critical nature of this vulnerability.
Wordfence Premium, Wordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on October 15, 2025. Sites using the free version of Wordfence will receive the same protection 30 days later on November 14, 2025.
If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.
The post 100,000 WordPress Sites Affected by Privilege Escalation Vulnerability in AI Engine WordPress Plugin appeared first on Wordfence.
