Privilege Escalation Vulnerability in AI Engine WordPress Plugin, Allows Subscriber-Level Account Takeover
Summary :Security Advisory: A critical privilege escalation vulnerability (CVE-2025-5071) was discovered in the AI Engine WordPress plugin, allowing subscriber-level users to gain administrator privileges when the MCP (Model Context Protocol) module is enabled.
| OEM | WordPress |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-5071 |
| POC Available | Yes |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the ‘Meow_MWAI_Labs_MCP::can_access_mcp’ function in versions 2.8.0 to 2.8.3.
This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like ‘wp_create_user’, ‘wp_update_user’ and ‘wp_update_option’, which can be used for privilege escalation, and ‘wp_update_post’, ‘wp_delete_post’, ‘wp_update_comment’ and ‘wp_delete_comment’, which can be used to edit and delete posts and comments.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Privilege Escalation Vulnerability | CVE-2025-5071 | AI Engine WordPress Plugin | High | 2.8.4 |
Technical Summary
AI Engine is a WordPress plugin that recently introduced support for MCP (Model Context Protocol), which allows AI agents – such as Claude or ChatGPT – to control and manage the WordPress website by executing various commands, managing media files, editing users, and performing complex tasks more reliably than through standard APIs.
The vulnerability stems from insufficient authorization checks in the can_access_mcp () function within the plugin, enabling any authenticated (logged-in) user to bypass Bearer Token validation and access MCP endpoints.
This access can be exploited to escalate user privileges by executing commands such as wp_update_user, ultimately leading to full site compromise.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-5071 | WordPress with AI Engine Plugin 2.8.0–2.8.3 | The can_access_mcp() function incorrectly grants MCP endpoint access to all logged-in users. Even when Bearer Token authentication is enabled, lack of empty value checks in the token validation logic allows privilege escalation. | Complete site compromise |
Remediation:
- Immediate Action: Update the AI Engine plugin to version 2.8.4 or later.
- Configuration Check: Ensure that MCP and Dev Tools modules remain disabled unless it’s necessary.
Conclusion:
The CVE-2025-5071 vulnerability in the AI Engine WordPress plugin highlights the potential risks when advanced modules like MCP are misconfigured.
Even though the feature is disabled by default, sites that have enabled it become susceptible to complete takeover by authenticated users.
Website administrators are urged to update to version 2.8.4 immediately and verify that security best practices are enforced to prevent such escalations. With over 100,000 active installations, this flaw presents a significant risk to the WordPress ecosystem if left unpatched.
References:
t