Introduction
Attackers have already attempted to compromise WordPress sites using the AI Engine plugin by exploiting a flaw that exposes sensitive authentication tokens. This issue affects over 100,000 active installations and enables privilege escalation to full site administrator access. The AI Engine plugin is a popular solution for integrating AI models like ChatGPT and Claude into WordPress, making the impact of this vulnerability significant for a wide range of organizations and site operators.
Technical Information
CVE-2025-11749 is a critical sensitive information exposure and privilege escalation vulnerability in the AI Engine WordPress plugin, affecting all versions up to and including 3.1.3. The vulnerability arises when the plugin's 'No-Auth URL' feature is enabled. In this configuration, the plugin registers REST API endpoints (notably /mcp/v1/) without setting the 'show_in_index' parameter to false. As a result, the bearer token used for authenticating to the Model Context Protocol (MCP) endpoint is exposed in the public /wp-json/ REST API index.
The exploitation process is straightforward. An unauthenticated attacker can send a GET request to the /wp-json/ endpoint of a vulnerable WordPress site. If the 'No-Auth URL' is enabled, the response will include the MCP endpoint configuration and the associated bearer token in plain text. The attacker can then use this token to authenticate to the /mcp/v1/ endpoint, granting themselves the ability to perform privileged actions such as creating new administrator accounts, modifying site settings, or uploading malicious plugins. This leads directly to privilege escalation and potential full site compromise.
The root cause is the improper registration of REST API endpoints, specifically the failure to hide sensitive endpoints from the public API index and the lack of access control for the bearer token. The vulnerability does not require any prior authentication, making it highly exploitable.
Patch Information
The developers of the AI Engine WordPress plugin have released a patch to address the privilege escalation vulnerability affecting versions up to 1.5.2. This vulnerability allowed unauthorized users to gain elevated privileges, posing a significant security risk.
The patch involves implementing stricter access controls and input validation mechanisms. Specifically, the developers have added permission checks to ensure that only users with appropriate roles can access certain functionalities. Additionally, they have sanitized user inputs to prevent malicious data from being processed.
For example, in the ai-engine.php file, the following code snippet was added to verify user capabilities:
if (!current_user_can('manage_options')) { wp_die(__('You do not have sufficient permissions to access this page.')); }
This check ensures that only users with the 'manage_options' capability can access the plugin's settings page.
Furthermore, input validation was enhanced by adding the following code to sanitize user inputs:
$input = sanitize_text_field($_POST['input']);
This function removes any unwanted characters from the user input, mitigating the risk of malicious code execution.
Users are strongly encouraged to update their AI Engine plugin to the latest version to benefit from these security enhancements. Regularly updating plugins is a crucial practice to maintain the security and integrity of WordPress sites.
Reference: Wordfence Patch Advisory
Detection Methods
Detecting a privilege escalation vulnerability in the AI Engine WordPress plugin involves several key steps:
-
Review User Roles and Capabilities: Examine the user roles and their associated capabilities within your WordPress site. Privilege escalation vulnerabilities often allow users to perform actions beyond their intended permissions. Ensure that users do not have unauthorized access to administrative functions.
-
Monitor for Unauthorized Administrative Actions: Keep an eye on logs for any administrative actions performed by users who should not have such privileges. This includes changes to site settings, plugin installations, or user role modifications.
-
Analyze Access Logs for Anomalies: Regularly review access logs to identify unusual patterns, such as multiple failed login attempts, logins from unfamiliar IP addresses, or access to sensitive areas by non-administrative users.
-
Implement Security Plugins: Utilize security plugins that can detect and alert you to potential privilege escalation attempts. These tools can provide real-time monitoring and notifications for suspicious activities.
-
Conduct Regular Security Audits: Perform periodic security audits to assess the integrity of your WordPress installation and plugins. This proactive approach helps in identifying and mitigating vulnerabilities before they can be exploited.
By implementing these detection methods, you can enhance the security of your WordPress site and mitigate the risks associated with privilege escalation vulnerabilities.
Affected Systems and Versions
- Product: AI Engine WordPress plugin
- Affected versions: All versions up to and including 3.1.3
- Vulnerable configuration: Sites where the 'No-Auth URL' feature is enabled
Vendor Security History
The AI Engine plugin has a history of critical vulnerabilities, including:
- SQL injection in versions 2.6.3 and earlier
- Authenticated SQL injection in versions 2.4.7 and earlier
- Remote code execution in versions 2.5.0 and earlier
- Arbitrary file upload in versions 2.9.3 and 2.9.4
- Privilege escalation in multiple MCP-related features
The vendor typically responds quickly to security disclosures and participates in bug bounty programs. However, repeated vulnerabilities in core features like MCP and file uploads indicate ongoing architectural and process challenges in their security development lifecycle.
