AI Engine Flaw Exposes 100,000 WordPress Sites to Attack

A critical vulnerability in the AI Engine WordPress plugin has placed over 100,000 active websites at risk of full compromise through unauthenticated privilege escalation attacks. 

The flaw allows attackers to extract authentication tokens and gain administrative control over affected WordPress installations.

From Token Leak to Takeover

The vulnerability (CVE-2025-11749) stems from a sensitive information exposure issue affecting all versions of AI Engine up to and including 3.1.3.

When administrators enable the No-Auth URL feature in the plugin’s Model Context Protocol (MCP) settings, the plugin inadvertently exposes bearer tokens via the /wp-json/ REST API index. 

These tokens act as authentication credentials for AI agents such as Claude or ChatGPT, allowing them to manage content, execute commands, and modify user accounts through the plugin’s integration with WordPress.

Once exposed, these bearer tokens can be harvested by unauthenticated attackers simply by visiting the /wp-json/ endpoint on vulnerable sites. 

Using these credentials, threat actors can authenticate to the MCP endpoint and run privileged commands, including wp_update_user, to escalate their privileges to the administrator level. 

With administrative access secured, attackers can upload malicious plugins, inject spam, redirect visitors to phishing sites, or install persistent backdoors.

How One Parameter Opened the Door

The vulnerability resides in the Meow_MWAI_Labs_MCP class, where REST API routes are registered using the rest_api_init() function. 

The flaw occurs when the No-Auth URL feature is enabled. The plugin registers special REST API endpoints containing the bearer token directly in the URL path but fails to hide these endpoints from the public API index.

Specifically, the plugin did not set the show_in_index parameter to false when creating these routes, making them visible to anyone viewing the API index. 

This oversight effectively exposed sensitive authentication tokens to the internet, allowing attackers to access them without needing any prior credentials or interaction.

The plugin’s developer addressed the issue in version 3.1.4 by modifying the route registration code to include show_in_index => false, preventing the endpoints from being listed publicly. 

However, any sites that previously had the No-Auth URL option enabled must immediately rotate their bearer tokens, as those credentials may already be compromised.

AI Power Meets Security Risk

The AI Engine plugin allows AI agents to manage WordPress sites via the Model Context Protocol (MCP), enabling deep integration with systems like Claude and ChatGPT. 

While this functionality enhances automation and productivity, it also increases the attack surface if authentication controls are misconfigured.

The integration of AI agents into administrative environments creates new risks when APIs and credentials are not properly secured. 

As more plugins and applications embed AI connectivity, developers and administrators alike must treat token exposure as a critical vulnerability vector.

Strengthening WordPress Defenses

While updating to the patched version is essential, organizations should take additional precautions to strengthen their overall WordPress and API security posture.

• Disable unused API features like No-Auth URL and regularly review REST API exposure.
• Use a web application firewall (WAF) to block unauthorized or suspicious API requests.
• Rotate tokens and credentials regularly, especially after applying patches.
• Apply role-based access controls (RBAC) to limit plugin and AI agent permissions.
• Harden WordPress security by enforcing HTTPS, disabling file editing, and updating plugins.
• Monitor logs and API activity for unusual access or privilege escalation attempts.
• Run regular security audits to detect outdated or misconfigured plugins and integrations.

Implementing these measures helps organizations minimize the risk of token exposure and successful privilege escalation.  

The AI Engine vulnerability demonstrates how minor configuration oversights in AI-integrated plugins can lead to full system compromise. 

With over 100,000 affected installations, this flaw serves as a critical reminder that authentication tokens and API endpoints must be treated as sensitive assets.

As AI tools become increasingly embedded in content management systems, the line between convenience and security continues to blur. 

This growing tension between accessibility and security underscores why many organizations are turning to a zero-trust approach as part of their cyber resilience.