File Read Vulnerability in SmartSlider Impacts 500K WordPress Sites
vulnerability in the Smart Slider 3 WordPress plugin
Continue Readingwordpress
Privilege Escalation Vulnerability in AI Engine WordPress Plugin, Allows Subscriber-Level Account Takeover
Summary :Security Advisory: A critical privilege escalation vulnerability (CVE-2025-5071) was discovered in the AI Engine WordPress plugin, allowing subscriber-level users to gain administrator privileges when the MCP (Model Context Protocol) module is enabled.
| OEM | WordPress |
| Severity | High |
| CVSS Score | 8.8 |
| CVEs | CVE-2025-5071 |
| POC Available | Yes |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview
The AI Engine plugin for WordPress is vulnerable to unauthorized modification of data and loss of data due to a missing capability check on the ‘Meow_MWAI_Labs_MCP::can_access_mcp’ function in versions 2.8.0 to 2.8.3.
This makes it possible for authenticated attackers, with subscriber-level access and above, to have full access to the MCP and run various commands like ‘wp_create_user’, ‘wp_update_user’ and ‘wp_update_option’, which can be used for privilege escalation, and ‘wp_update_post’, ‘wp_delete_post’, ‘wp_update_comment’ and ‘wp_delete_comment’, which can be used to edit and delete posts and comments.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Privilege Escalation Vulnerability | CVE-2025-5071 | AI Engine WordPress Plugin | High | 2.8.4 |
Technical Summary
AI Engine is a WordPress plugin that recently introduced support for MCP (Model Context Protocol), which allows AI agents – such as Claude or ChatGPT – to control and manage the WordPress website by executing various commands, managing media files, editing users, and performing complex tasks more reliably than through standard APIs.
The vulnerability stems from insufficient authorization checks in the can_access_mcp () function within the plugin, enabling any authenticated (logged-in) user to bypass Bearer Token validation and access MCP endpoints.
This access can be exploited to escalate user privileges by executing commands such as wp_update_user, ultimately leading to full site compromise.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-5071 | WordPress with AI Engine Plugin 2.8.0–2.8.3 | The can_access_mcp() function incorrectly grants MCP endpoint access to all logged-in users. Even when Bearer Token authentication is enabled, lack of empty value checks in the token validation logic allows privilege escalation. | Complete site compromise |
Remediation:
- Immediate Action: Update the AI Engine plugin to version 2.8.4 or later.
- Configuration Check: Ensure that MCP and Dev Tools modules remain disabled unless it’s necessary.
Conclusion:
The CVE-2025-5071 vulnerability in the AI Engine WordPress plugin highlights the potential risks when advanced modules like MCP are misconfigured.
Even though the feature is disabled by default, sites that have enabled it become susceptible to complete takeover by authenticated users.
Website administrators are urged to update to version 2.8.4 immediately and verify that security best practices are enforced to prevent such escalations. With over 100,000 active installations, this flaw presents a significant risk to the WordPress ecosystem if left unpatched.
References:
t
Critical Privilege Escalation Vulnerability in Motors WordPress Theme
Summary: A critical privilege escalation vulnerability (CVE-2025-4322) has been identified in the Motors WordPress theme, a widely used premium theme tailored for car dealerships, rentals, and vehicle listings.
| OEM | WordPress |
| Severity | Critical |
| CVSS Score | 9.8 |
| CVEs | CVE-2025-4322 |
| Actively Exploited | No |
| Exploited in Wild | No |
| Advisory Version | 1.0 |
Overview This vulnerability affects versions up to 5.6.67 and could allow unauthenticated attackers to reset passwords for any user, including administrators, leading to complete site compromise. The issue has been addressed in version 5.6.68, and immediate patching is strongly recommended.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Privilege Escalation via Password Reset Bypass | CVE-2025-4322 | Motors WordPress Theme | Critical | 5.6.68 |
Technical Summary
The vulnerability arises from insufficient input validation in the Login Register widget of the Motors theme, specifically within the password-recovery.php template. An attacker can manipulate the hash_check parameter using an invalid UTF-8 character, which is improperly sanitized by the esc_attr() function. This allows the attacker to bypass password reset validations and change passwords without authorization, even for administrator accounts.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-4322 | Motors WordPress Theme (<= 5.6.67) | The password-recovery.php file fails to properly validate whether the stm_lost_password_hash exists and is correct. If the hash is empty (e.g. – no reset was requested), an attacker can bypass the check using an invalid UTF-8 character. The esc_attr() sanitization strips the invalid character after validation, resulting in a successful hash match and unauthorized password update. | Complete site compromise. |
Remediation:
- Immediately update: To mitigate the vulnerability, users of the Motors WordPress theme should immediately update to version 5.6.68 or later.
Conclusion:
CVE-2025-4322 is a critical privilege escalation vulnerability affecting over 22,000+ WordPress sites using the Motors theme.
Exploiting this flaw, unauthenticated attackers can reset administrator passwords and gain full control of vulnerable sites. The vulnerability was responsibly disclosed and swiftly addressed by the vendor, with a patched version (5.6.68) released.
Given the ease of exploitation and potential for full site compromise, users are strongly advised to update immediately.
Organizations relying on the Motors theme should also implement multi-layered security practices, such as web application firewalls, routine patching, and access monitoring, to safeguard their digital assets against similar threats in the future.
References:
WordPress Age Gate Plugin Critical Vulnerability (CVE-2025-2505) Affects Over 40,000 Websites
The Age Gate plugin for WordPress is vulnerable to Local PHP File Inclusion in all versions up to, and including, 3.5.3 via the ‘lang’ parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary PHP files on the server, allowing the execution of code in those files.
| OEM | WordPress |
| Severity | Critical |
| CVSS score | 9.8 |
| CVEs | CVE-2025-2505 |
| Exploited in Wild | No |
| Patch/Remediation Available | Yes |
| Advisory Version | 1.0 |
Overview
A critical vulnerability (CVE-2025-2505) in the Age Gate plugin for WordPress allows unauthenticated Local PHP File Inclusion (LFI), potentially enabling remote code execution. This flaw affects all versions up to 3.5.3 and has been patched in version 3.5.4. Over 40,000 websites are affected by this vulnerability.
This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
| Vulnerability Name | CVE ID | Product Affected | Severity | Fixed Version |
| Improper Limitation of a Pathname to a Restricted Directory | CVE-2025-2505 | Age Gate WordPress Plugin | Critical | v3.5.4 |
Technical Summary
The vulnerability exists due to improper limitation of pathname input, leading to an unauthenticated Local PHP File Inclusion (LFI) attack through the lang parameter. This flaw can be exploited by attackers to execute arbitrary PHP files, bypass access controls, and compromise server security.
| CVE ID | System Affected | Vulnerability Details | Impact |
| CVE-2025-2505 | WordPress websites using Age Gate Plugin (<=3.5.3) | Local PHP File Inclusion via ‘lang’ parameter allows execution of arbitrary PHP files. | Unauthorized code execution, data exfiltration, privilege escalation, potential full server compromise. |
Remediation:
- Update Age Gate plugin to version 3.5.4 or later as soon as possible.
Conclusion:
Attackers can potentially: – Include and execute arbitrary PHP files on the server – Bypass access controls – Obtain sensitive site data – Achieve remote code execution – Compromise the entire WordPress site’s integrity and availability
This vulnerability poses a severe risk to WordPress websites utilizing the Age Gate plugin. Prompt patching and proactive security measures are crucial to mitigating potential attacks.
Users are strongly advised to update to the latest version without delay to protect their websites from unauthorized code execution.
CVE-2025-2505 affects all versions of the Age Gate plugin for WordPress up to and including version 3.5.3.
References:
Critical WordPress Security Flaw in Everest Forms Plugin
UAE Cyber Security Council has observed a critical vulnerability in Everest Forms WordPress
plugin
Privilege Escalation Vulnerability in ComboBlocks Plugin Affects Thousands of Sites
A critical vulnerability in the ComboBlocks WordPress plugin (formerly Post Grid and Gutenberg Blocks) exposes over 40,000 websites to potential complete takeover by unauthenticated attackers. This vulnerability exists due to improper handling of user meta during the registration process, enabling privilege escalation. It affects versions 2.2.85 to 2.3.3 and has been addressed in version 2.3.4.
OEM | WordPress |
Severity | Critical |
Date of Announcement | 2025-01-17 |
CVSS score | 9.8 |
CVE | CVE-2024-9636 |
Exploited in Wild | No |
Patch/Remediation Available | Yes |
Advisory Version | 1.0 |
Overview
ComboBlocks, a plugin designed to enhance website design and functionality, was found to have a critical security flaw (CVE-2024-9636) that could allow unauthenticated attackers to register as administrators, granting them full control over the affected websites.
Vulnerability Name | CVE ID | Product Affected | Severity | CVSS Score |
Unauthenticated Privilege Escalation | CVE-2024-9636 | ComboBlocks WordPress Plugin | Critical | 9.8 |
Technical Summary
CVE ID | System Affected | Vulnerability Details | Impact |
CVE-2024-9636 | ComboBlocks plugin (2.2.85 - 2.3.3) | The vulnerability stems from improper restriction of user meta updates during profile registration. This flaw allows unauthenticated attackers to register as administrators, granting them full control over the website. | Complete website takeover and malware injection. |
Remediations
- Update Plugin: Immediately update the ComboBlocks plugin to version 2.3.4 or later.
- Review Administrative Accounts:
- Audit all user accounts with administrative privileges.
- Revoke any unauthorized access.
- Enhance Security Posture:
- Enable multi-factor authentication (MFA) for all admin accounts.
- Restrict user permissions based on the principle of least privilege.
- Use a web application firewall (WAF) to filter and block malicious traffic.
- Monitor and Log Activity:
- Activate detailed logging for user registration and privilege changes.
- Configure alerts for unusual activity, such as mass registrations or privilege escalations.
- Implement Preventative Measures:
- Regularly update all plugins and themes.
- Backup the WordPress site frequently to ensure quick recovery in case of any compromise.
Recent Comments