A serious vulnerability in the AI Engine WordPress plugin has exposed more than 100,000 websites to privilege escalation attacks. The issue, tracked as CVE-2025-11749 with a CVSS score of 9.8, allows attackers to gain full administrative access without authentication.
The flaw was discovered by security researcher Emiliano Versini on October 4, 2025, and responsibly reported through the Wordfence Bug Bounty Program. He received a bounty of $2,145 for his report.
The vulnerability affects all versions of AI Engine up to and including 3.1.3. It is linked to the plugin’s Model Context Protocol (MCP) feature, which allows AI tools like ChatGPT and Claude to control WordPress sites for tasks such as managing media files or editing user accounts.
When administrators enable the “No-Auth URL” option in the MCP settings, the plugin unintentionally exposes bearer tokens through the /wp-json/ REST API index. These tokens serve as authentication credentials. Once exposed, anyone can extract them and gain unrestricted control over the affected site.
According to Wordfence researchers, the root cause is in how the plugin registers REST API routes. The code registers No-Auth endpoints without hiding them from the public API index by missing the parameter show_in_index => false. This makes the endpoints — and the embedded tokens — visible to anyone visiting the /wp-json/ page of the site.
With the exposed token, an attacker can authenticate to the MCP endpoint and run commands like wp_update_user, escalating their privileges to the administrator level. Once they gain admin access, they can install malicious plugins, modify content, or redirect site visitors to harmful domains.
The issue resides in the Meow_MWAI_Labs_MCP class where REST routes are registered. When the No-Auth URL setting is active, the plugin registers special endpoints with the bearer token included in the path. These endpoints are meant to allow AI agents to communicate without traditional login, but the implementation exposes them publicly.
By simply visiting the /wp-json/ endpoint, an attacker can view all registered REST API routes. If the No-Auth feature is enabled, the token becomes visible, giving direct access to execute privileged actions.
Plugin developer Jordy Meow patched the issue in version 3.1.4 by adding the show_in_index => false parameter, which hides the sensitive endpoints from public view. However, websites that had No-Auth URLs enabled before updating must rotate their bearer tokens immediately, as exposed tokens may already be compromised.
Wordfence released firewall rules for Premium, Care, and Response customers on October 15, 2025, with free users scheduled to receive the protection on November 14, 2025. The new firewall rules block malicious REST API requests that attempt to exploit the MCP endpoint.
If you are using the AI Engine plugin, update it to version 3.1.4 or later without delay. Then, regenerate your bearer tokens from the plugin settings. This will ensure that any previously exposed credentials are replaced and your site is safe from this critical vulnerability.
