AI Engine 3.4.9 – Subscriber+ Privilege Escalation via Missing Authorization in MCP OAuth Bearer Token | CVE 2026-8719 | Plugin Vulnerabilities

Description

The plugin is vulnerable to Privilege Escalation due to missing WordPress capability enforcement in the MCP OAuth bearer-token authorization path, where any valid OAuth token causes MCP access to be granted without verifying administrator privileges. This makes it possible for authenticated attackers, with Subscriber-level access and above, to invoke admin-level MCP tools and escalate privileges to Administrator.

Affects Plugins

Fixed in 3.5.0

References

CVE

URL

https://www.wordfence.com/threat-intel/vulnerabilities/id/0593c20d-3422-4817-9639-614254b609db

Classification

Type

PRIVESC

OWASP top 10

A2: Broken Authentication and Session Management

CWE

CVSS

Miscellaneous

Original Researcher

daroo

Verified

No

WPVDB ID

a930eabb-0672-49f8-9df0-5f18b084dbba

Timeline

Publicly Published

2026-05-16 (about 24 days ago)

Added

2026-05-18 (about 21 days ago)

Last Updated

2026-06-05 (about 3 days ago)

Other

Published

Title

Published

2026-05-19

Title

Easy Elements for Elementor < 1.4.5 - Unauthenticated Privilege Escalation via easyel_handle_register

Published

2025-09-20

Title

Dokan < 4.1.4 - Shop Manager+ Privilege Escalation

Published

2022-12-12

Title

iubenda < 3.3.3 - Subscriber+ Privileges Escalation to Admin

Published

2023-08-21

Title

MasterStudy LMS < 3.0.18 - Unauthenticated Instructor Account Creation

Published

2025-01-13

Title

Homey <= 2.4.1 - Authenticated (Subscriber+) Privilege Escalation