ZeroPath at Black Hat USA 2026

Brief Summary: CVE-2026-8719 — AI Engine WordPress Plugin Privilege Escalation via MCP OAuth Token Bypass

A short review of CVE-2026-8719, a privilege escalation vulnerability in the AI Engine WordPress plugin (version 3.4.9) where missing capability checks in the MCP OAuth bearer token path allow Subscriber level users to gain Administrator access. Includes patch analysis and mitigation guidance.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-16

Brief Summary: CVE-2026-8719 — AI Engine WordPress Plugin Privilege Escalation via MCP OAuth Token Bypass
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A missing capability check in the AI Engine WordPress plugin's MCP OAuth authorization path allowed any authenticated user, even a Subscriber, to obtain a bearer token that granted full access to admin level MCP tools. With over 100,000 active installations, this plugin's exposure surface is significant for the WordPress ecosystem.

AI Engine is a popular WordPress plugin developed by Meow Apps that provides chatbot functionality, AI powered content generation, AI forms, and a Model Context Protocol (MCP) server for integrating external AI agents. It serves as a bridge between WordPress sites and various AI services, making it a common fixture on sites that leverage AI capabilities. Version 3.4.9 introduced OAuth 2.1 with Dynamic Client Registration for the MCP server, and that is precisely where the authorization gap appeared.

Technical Information

The root cause of CVE-2026-8719 is improper privilege management (CWE-269) in the MCP OAuth bearer token flow. When version 3.4.9 added OAuth 2.1 support for the MCP server, the authorization layer was designed to validate that tokens were authentic (not expired, not revoked) but it never verified whether the WordPress user associated with the token actually held the administrator capability.

This is a critical omission because the MCP layer exposes admin level tools, including operations like wp_create_user. The vulnerable code in labs/mcp.php simply set the current WordPress user based on the token's user ID:

// Set current user based on OAuth token wp_set_current_user( $token_data['user_id'] );

No capability gate followed this call. The MCP server trusted the token alone, granting the associated user full access to every MCP tool regardless of their WordPress role.

The CVSS vector is CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, scoring 8.8 (High). The attack is network exploitable, requires low complexity, needs only a Subscriber account, and requires no user interaction.

Attack Flow

The exploitation path is straightforward:

  1. The attacker registers or already holds a Subscriber level account on the target WordPress site.
  2. The attacker initiates the MCP OAuth authorization flow, requesting a bearer token from the plugin's OAuth endpoint.
  3. The OAuth layer issues a valid token because the user is authenticated. No administrator capability check is performed.
  4. Armed with the valid bearer token, the attacker sends requests to the MCP server endpoint, invoking admin level tools (such as creating new administrator accounts or modifying existing user roles).
  5. The attacker escalates their role to Administrator, achieving full site control.

The low barrier to entry here is notable. WordPress sites that allow open registration (a common configuration for membership or community sites) expose this vulnerability to anyone who can create an account.

Patch Information

The vulnerability was patched in AI Engine version 3.5.0, released on May 16, 2026, via WordPress.org plugin changeset 3533527. Wordfence confirms version 3.5.0 as the patched release.

The fix introduced a centralized capability gate via a new user_can_authorize() method in labs/mcp-oauth.php:

public function user_can_authorize( $user_id ) { $user_id = (int) $user_id; $allowed = $user_id > 0 && user_can( $user_id, 'administrator' ); return (bool) apply_filters( 'mwai_mcp_oauth_user_can_authorize', $allowed, $user_id ); }

This method wraps the native WordPress user_can() function to verify the user is an administrator before allowing any MCP OAuth action. The result is filterable via mwai_mcp_oauth_user_can_authorize, which the code documents as an escape hatch for future multi user MCP work, with an explicit warning that weakening this gate would reintroduce privilege escalation.

The gate is enforced at two critical points:

Authorization time enforcement (labs/mcp-oauth.php): Before rendering the OAuth consent page, the patch checks whether the logged in user is an administrator. If not, the authorization flow terminates immediately:

if ( !$this->user_can_authorize( $user->ID ) ) { if ( $this->logging ) { error_log( '[AI Engine MCP OAuth] ❌ Non-admin user ' . $user->ID . ' tried to authorize client ' . $params['client_id'] ); } $this->render_error_page( 'Only administrators can authorize MCP applications on this site.' ); exit; }

The same check is repeated in the authorization form submission handler, preventing a non admin user from crafting a direct POST request to bypass the UI.

Token validation time enforcement (labs/mcp.php): This is the defense in depth layer. Even if a token was issued prior to the patch (or stored from before the authorize time admin gate landed), the MCP request handler now verifies the linked user's current capabilities every time the token is used:

if ( !$this->oauth->user_can_authorize( $token_data['user_id'] ) ) { if ( $this->logging ) { error_log( '[AI Engine MCP] ❌ OAuth token rejected: user ' . $token_data['user_id'] . ' is not an administrator.' ); } return false; }

This second check is particularly thoughtful. Without it, any existing tokens minted to non admin users before upgrading to 3.5.0 would still grant full MCP access. By re checking capabilities at validation time, the patch ensures that pre existing tokens for Subscriber level users are immediately invalidated upon upgrade.

The security critical changes are confined to labs/mcp-oauth.php and labs/mcp.php. The changeset also included unrelated updates (model deprecation tags, finetune deprecation notices, CSS fixes), but those are not relevant to the vulnerability.

Affected Systems and Versions

The vulnerability affects AI Engine version 3.4.9 specifically. The fix is available in version 3.5.0 and later.

Any WordPress site running AI Engine 3.4.9 with the MCP server functionality enabled and user registration open (or with existing non administrator accounts) is potentially vulnerable. Sites that do not use the MCP OAuth feature or that restrict all accounts to administrators only have reduced exposure, though updating remains the recommended course of action.

Vendor Security History

Meow Apps, led by developer Jordy Meow, has a documented history of responding quickly to security disclosures. In a previous incident involving CVE-2025-7847, an arbitrary file upload vulnerability affecting AI Engine versions 2.9.3 and 2.9.4, the vendor received the disclosure on July 18, 2025, and released a fully patched version (2.9.5) by July 22, 2025. Wordfence publicly commended the developer for their prompt response during that incident.

For CVE-2026-8719, the vendor maintained this pattern, releasing version 3.5.0 shortly after version 3.4.9 was deployed. This consistent track record supports keeping auto updates enabled for this plugin.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization